Code Flaws in Post-Exploitation Frameworks
Popular post-exploitation frameworks have contained their own sets of issues in the past. In some cases, remote code execution flaws which could lead to the compromise on the command-and-control (C2) infrastructure. Code flaws happens to everyone, and even the most highly skilled and well recognized are not infallible.
In the wise words of Daft Punk,
“We are human, after all.”
When it comes to post-exploitation tools, they can be thought of as the tester’s ‘scalpel’ used to cut open the network or host after that first puncture. Just as a scalpel is nothing more than an exceedingly sharp piece of metal, post-exploitation frameworks are ultimately just software designed to meet the specific needs of security teams. Scalpels may contain imperfections and need to be sanitized before surgery, and this kind of software is no different.
In this instance with PowerShell Empire, an RCE existed which could compromise a C2 setup. harmj0y went to great lengths to explain the issue that occurred, pinpointed the code with issues, and went on to thank the individuals who reported it. The level of transparency in this post truly is admirable.
There is no denying that flaws in security software stand out from typical software — they receive extreme scrutiny from cybersecurity folks and the general technology crowd alike. Not just with distributed software, but any security related slip-up for a security-focused organization can be a death sentence — ask Hacking Team!
The unfortunate truth is that, despite being focused on meeting cybersecurity needs, it does not change the fact that software is software regardless of purpose or application. Therefore, it is subject to the same pitfalls.
PowerShell Empire is not alone. Cobalt Strike, a commonly used commercial product for red team infrastructure, has been subject to its own coding flaws in the past. This blog post describes a form of directory traversal attack against its team server software, and even notes it as being identified as actively exploited at the time.
In regards to exposure, here is an article was written by Tenable about identifying Empire listeners via Shodan, available for all the Internet to see. Granted, the listeners discussed here are probably not serving a legitimate purpose, but I would still bet a couple of entry-level red-teamers are behind at least a handful.
With that in mind, I certainly do hope that every team using these applications understand the impact of exposing these products unrestricted to the wild. Hopefully practicing what they preach by limiting exposure to their infrastructure, and applying proper patch management procedures.
I sincerely pray that it happens before an APT group takes notice and recruits it’s clients into a botnet, at least.