If the get_root plug-in fails to get root, the agent will go offline.
winezer0 opened this issue · comments
Describe the bug
If the get_root plug-in fails to assign rights, the agent will go offline. Is there a more stable solution
Thanks for reporting this, I will change its behavior.
This is actually a bug in gp-lpe. I will open an issue there. This one will be closed.
@winezer0 Please test https://github.com/jm33-m0/go-lpe/ on your system, and report the result here.
Starting from this commit, go-lpe will execute all exploits in children processes, meaning emp3r0r is unlikely to exit because of the failure of lpe exploit.
generated agent today
Running lpe is no problem, but it will always prompt messages 'sleeping' and will not exit
The vulnerability should not exist
I tested get_root again, agent dies again.
There may be code that simply closes the program after spawning additional threads
Running lpe is no problem, but it will always prompt messages 'sleeping' and will not exit
This means failing exploits don't kill calling process, they die and main process lives on. In emp3r0r this should also be the case.
There may be code that simply closes the program after spawning additional threads
Can you capture agent log by using VERBOSE=true? See what happens before it exits. When you build the project, change the build command to ./emp3r0r --debug
Can you capture agent log by using
VERBOSE=true? See what happens before it exits. When you build the project, change the build command to./emp3r0r --debug
VERBOSE=true ./agent Log
[www@iZ8vb34cq public]$ VERBOSE=true ./eal64s
2023/10/19 23:39:09.837376 main.go:66: emp3r0r agent has started
2023/10/19 23:39:09.841276 mem.go:61: Read 6460100 bytes from process executable
2023/10/19 23:39:09.841300 mem.go:75: Digging with magic string '40511ee53d8d9571bd3c41d756af53297727710fbe48131027b52d4a01078bedae7fced9' (36 bytes)
2023/10/19 23:39:09.843928 mem.go:89: Digged 1472 config bytes from 6460100 bytes of given data
2023/10/19 23:39:09.843944 mem.go:25: Found 1472 bytes in [kworker
2023/10/19 23:39:18.848076 set_path.go:63: PATH=/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO:usr/local/bin:usr/bin:usr/local/sbin:usr/sbin:.local/bin:bin:/bin:/sbin:/usr/bin:/usr/games:/usr/sbin:/usr/local/bin:/usr/local/sbin:/snap/bin
2023/10/19 23:39:18.857122 main.go:490: Agent seems dead: dial unix /tmp/ssh-xRqsFteTmHMMaa/wHVeAZmEqvRFMpnP: connect: connection refused
2023/10/19 23:39:18.857163 main.go:259: Failed to kill old emp3r0r os: process already finished
2023/10/19 23:39:18.857204 main.go:282: CCAddress is: https://x.x.x.x:56303/
2023/10/19 23:39:18.857533 main.go:433: /tmp/ssh-xRqsFteTmHMMaa/wHVeAZmEqvRFMpnP exists, testing connection...
2023/10/19 23:39:18.857597 main.go:490: Agent seems dead: dial unix /tmp/ssh-xRqsFteTmHMMaa/wHVeAZmEqvRFMpnP: connect: connection refused
2023/10/19 23:39:19.232851 main.go:331: [+] It seems that we have internet access, let's start a socks5 proxy to help others
2023/10/19 23:39:19.232954 tls.go:50: CA cert fingerprint: e03bec0baf40aa3db996940bf23535e1f414543fe42b572b7aef2d4691d5c502
2023/10/19 23:39:19.232964 broadcast.go:156: Broadcasting is turned off, aborting
2023/10/19 23:39:19.436201 main.go:383: Not using proxy
2023/10/19 23:39:19.436232 main.go:402: Checking in on https://x.x.x.x:56303/
2023/10/19 23:39:19.436248 util.go:82: Collecting system info for checking in
2023/10/19 23:39:19.436641 sysinfo.go:132: GetHostID: invalid UUID length: 7
2023/10/19 23:39:19.664116 sysinfo.go:173: Found 2978 executables from PATH (/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO:usr/local/bin:usr/bin:usr/local/sbin:usr/sbin:.local/bin:bin:/bin:/sbin:/usr/bin:/usr/games:/usr/sbin:/usr/local/bin:/usr/local/sbin:/snap/bin)
2023/10/19 23:39:19.664151 poll.go:31: Collected system info, now checking in (https://x.x.x.x:56303/emp3r0r/checkin/44576fab-60c6-4337-b28d-8d7846ae322e)
2023/10/19 23:39:19.664160 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/checkin/44576fab-60c6-4337-b28d-8d7846ae322e
2023/10/19 23:39:20.664890 poll.go:40: Checked in
2023/10/19 23:39:20.664910 main.go:411: Checked in on CC: https://x.x.x.x:56303/
2023/10/19 23:39:20.664936 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/msg/4735368e-e522-482c-8049-5978ee804e78
2023/10/19 23:39:21.665021 main.go:423: Connecting to CC NsgTun...
2023/10/19 23:39:21.665079 poll.go:246: Hearbeat begins
2023/10/19 23:39:21.665183 poll.go:162: Check CC response: started
2023/10/19 23:39:21.666286 poll.go:234: Hello (hellofokRlGrsFjxonxCfQUtmBKsiZSaZiPYbAVbeaioTPqHSAxxqLVJKaZBzuwochgRwZCHXGXKhHnYetpFHWZPaAwhybBUksNNsv) sent
2023/10/19 23:39:21.748486 poll.go:173: Hello (hellofokRlGrsFjxonxCfQUtmBKsiZSaZiPYbAVbeaioTPqHSAxxqLVJKaZBzuwochgRwZCHXGXKhHnYetpFHWZPaAwhybBUksNNsvh) received
2023/10/19 23:39:21.748512 poll.go:177: Hello (hellofokRlGrsFjxonxCfQUtmBKsiZSaZiPYbAVbeaioTPqHSAxxqLVJKaZBzuwochgRwZCHXGXKhHnYetpFHWZPaAwhybBUksNNsvh) acknowledged
2023/10/19 23:39:21.749538 poll.go:207: Hello (hellofokRlGrsFjxonxCfQUtmBKsiZSaZiPYbAVbeaioTPqHSAxxqLVJKaZBzuwochgRwZCHXGXKhHnYetpFHWZPaAwhybBUksNNsv) done
2023/10/19 23:39:21.749550 util.go:82: Collecting system info for checking in
2023/10/19 23:39:21.749902 sysinfo.go:132: GetHostID: invalid UUID length: 7
2023/10/19 23:39:21.977236 sysinfo.go:173: Found 2978 executables from PATH (/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO:usr/local/bin:usr/bin:usr/local/sbin:usr/sbin:.local/bin:bin:/bin:/sbin:/usr/bin:/usr/games:/usr/sbin:/usr/local/bin:/usr/local/sbin:/snap/bin)
2023/10/19 23:39:21.977283 poll.go:31: Collected system info, now checking in (https://x.x.x.x:56303/emp3r0r/checkin/7689304a-6027-4961-b331-54e81b7acf03)
2023/10/19 23:39:21.977294 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/checkin/7689304a-6027-4961-b331-54e81b7acf03
2023/10/19 23:39:22.978522 poll.go:40: Checked in
2023/10/19 23:39:22.978559 poll.go:260: Hearbeat ends
2023/10/19 23:39:27.232578 c2cmds.go:79: Got sshd request: [!sshd elvsh 58602 --]
2023/10/19 23:39:27.232839 sshd_linux.go:150: Starting SSHD on port 58602...
2023/10/19 23:39:27.433523 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/proxy/956f59b0-b716-41c4-8734-f49ed2bda87e
2023/10/19 23:39:27.569590 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/proxy/956f59b0-b716-41c4-8734-f49ed2bda87e_54190
2023/10/19 23:39:27.722386 poll.go:108: ConnectCC: connecting to https://x.x.x.x:56303/emp3r0r/proxy/956f59b0-b716-41c4-8734-f49ed2bda87e_54192
2023/10/19 23:39:28.433671 proxy.go💯 PortFwd (tcp) started: 127.0.0.1:58602 (956f59b0-b716-41c4-8734-f49ed2bda87e)
2023/10/19 23:39:28.433910 proxy.go:116: FwdToDport: connected to 127.0.0.1:58602 (tcp)
2023/10/19 23:39:28.570316 proxy.go💯 PortFwd (tcp) started: 127.0.0.1:58602 (956f59b0-b716-41c4-8734-f49ed2bda87e_54190)
2023/10/19 23:39:28.570541 proxy.go:116: FwdToDport: connected to 127.0.0.1:58602 (tcp)
2023/10/19 23:39:28.722454 proxy.go💯 PortFwd (tcp) started: 127.0.0.1:58602 (956f59b0-b716-41c4-8734-f49ed2bda87e_54192)
2023/10/19 23:39:28.722631 proxy.go:116: FwdToDport: connected to 127.0.0.1:58602 (tcp)
2023/10/19 23:39:28.988784 sshd_linux.go:56: elvsh: rewriting process exe to /tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO/.FHYHvSXiSOULFMoRVSWCyH
2023/10/19 23:39:29.006397 sshd_linux.go:95: sshd execute: /tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO/.FHYHvSXiSOULFMoRVSWCyH, args=[/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO/.FHYHvSXiSOULFMoRVSWCyH], env=[ =/www/wwwroot/x.x.x.x.com/public/eal64s VERBOSE=true HOSTNAME=iZ8vb34cq TERM=vt100 HISTSIZE=1000 USER=www LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:.tar=01;31:.tgz=01;31:.arc=01;31:.arj=01;31:.taz=01;31:.lha=01;31:.lz4=01;31:.lzh=01;31:.lzma=01;31:.tlz=01;31:.txz=01;31:.tzo=01;31:.t7z=01;31:.zip=01;31:.z=01;31:.Z=01;31:.dz=01;31:.gz=01;31:.lrz=01;31:.lz=01;31:.lzo=01;31:.xz=01;31:.bz2=01;31:.bz=01;31:.tbz=01;31:.tbz2=01;31:.tz=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.war=01;31:.ear=01;31:.sar=01;31:.rar=01;31:.alz=01;31:.ace=01;31:.zoo=01;31:.cpio=01;31:.7z=01;31:.rz=01;31:.cab=01;31:.jpg=01;35:.jpeg=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.png=01;35:.svg=01;35:.svgz=01;35:.mng=01;35:.pcx=01;35:.mov=01;35:.mpg=01;35:.mpeg=01;35:.m2v=01;35:.mkv=01;35:.webm=01;35:.ogm=01;35:.mp4=01;35:.m4v=01;35:.mp4v=01;35:.vob=01;35:.qt=01;35:.nuv=01;35:.wmv=01;35:.asf=01;35:.rm=01;35:.rmvb=01;35:.flc=01;35:.avi=01;35:.fli=01;35:.flv=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:.yuv=01;35:.cgm=01;35:.emf=01;35:.axv=01;35:.anx=01;35:.ogv=01;35:.ogx=01;35:.aac=01;36:.au=01;36:.flac=01;36:.mid=01;36:.midi=01;36:.mka=01;36:.mp3=01;36:.mpc=01;36:.ogg=01;36:.ra=01;36:.wav=01;36:.axa=01;36:.oga=01;36:.spx=01;36:*.xspf=01;36: MAIL=/var/spool/mail/www PATH=/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO:usr/local/bin:usr/bin:usr/local/sbin:usr/sbin:.local/bin:bin:/bin:/sbin:/usr/bin:/usr/games:/usr/sbin:/usr/local/bin:/usr/local/sbin:/snap/bin PWD=/www/wwwroot/x.x.x.x.com/public LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=1 LOGNAME=www LESSOPEN=||/usr/bin/lesspipe.sh %s HISTFILE=/dev/null _=./eal64s HOME=/home/www ELVSH=true]
2023/10/19 23:39:29.006482 sshd_linux.go:99: Got an SSH PTY request: screen-256color
2023/10/19 23:39:29.009810 sshd_linux.go:116: set pty size to 93x17
2023/10/19 23:39:53.502999 run.go:12: Trying CVE-2021-4034...
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: http://www.freedesktop.org/wiki/Software/polkit
[www@iZ8vb34cq public]$
I'm waiting for you to fix the bug
In this client log, I found some possible problems:
-
the request path is always /emp3r0r/*** This is a very obvious feature, may cause the firewall to intercept the request
-
Instead of opening another process to try CVE-2021-4034, it exits directly after catching the pkexec error.
the request path is always /emp3r0r/*** This is a very obvious feature, may cause the firewall to intercept the request
All traffic is in TLS and you can encrypt them again with Shadowsocks/KCP, I don't think this can be a problem
Instead of opening another process to try GHSA-qgr2-xgqv-24x8, it exits directly after catching the pkexec error.
This is indeed not intended. I will work on it.
Okay, waiting for your fix
@winezer0 Can you test the latest commit in master branch? I just did a test and it seems like the issue is gone.
@winezer0 Can you test the latest commit in master branch? I just did a test and it seems like the issue is gone.
Okay, I'll test it tonight
That really solved the problem:
However, Now the pkexec process does not exit after the execution get_root fails.
There will be obvious process feature
Another problem is that the agent's process does not have a ']'
Another problem is that the agent's process does not have a ']'
This is because of the file name is shorter than needed. If you rename it as 'agent-1234567890' it should be good.
There will be obvious process feature
pkexec becomes zombie?
pkexecbecomes zombie?
yes, This process always exists in the background
It is fixed.
