Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Azure Domain Fronting Issue #230

Open
Gimpy42 opened this issue Jun 19, 2020 · 1 comment
Open

[BUG] Azure Domain Fronting Issue #230

Gimpy42 opened this issue Jun 19, 2020 · 1 comment
Assignees
@vinnybod
Labels
bug Something isn't working

Comments

@Gimpy42
Copy link

Gimpy42 commented Jun 19, 2020
edited
Loading

Empire Version

  • Empire 3.2.3

OS Information (Linux flavor, Python version)

  • OS: ubuntu 18.04 LTS – Azure and AWS VM
  • Python: Python 3.6.9

Describe the bug
Powershell payload do not work when using azure domain fronting but do work without the domain fronting or with Empire 2.5 with&&without domaine fronting

To Reproduce
Steps to reproduce the behavior:

  1. Install Empire on a cloud VM (2vcpu 4gig)
  2. Create your Azure CDN and test if the redirection properly work
  3. Configure your listener and Stager
  4. Generate a payload and execute it on the target and see if the agent connect back

Expected behavior
Victim get redirected to Empire and download the agent and execute it

Additional context

1.Protocol tested
80:HTTP and 443:HTTPS was tested

2.To create the CDN, I have followed Truneski tutorials

3.Test for the cdn redirection:
Serve a test file on the server and see if you can get to it

$> curl https://<SERVER_IP>/test.html
<html>
<head></head>
<body>hello world</body>
</html>

$> curl --header "Host: <Endpoint>.azureedge.net" "https://<Azure-redirector>:443/test.html"
<html>
<head></head>
<body>hello world</body>
</html>

4.Listener Config

  Name              True        <LISTENERS NAME>                 
  Host              True        https://<Azure-redirector>:443   
  BindIP            True        0.0.0.0                         
  Port              True        443                       
  Launcher          True        powershell -noP -sta -w 1 -enc   
  StagingKey        True        {kuZ4~hv)r?W1,[AzHya(^Gc0eb2q6@E 
  DefaultDelay      True        5                               
  DefaultJitter     True        0.0                              
  DefaultLostLimit  True        60                               
  DefaultProfile    True        /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Host: <Endpoint>.azureedge.net
  
CertPath          False       /opt/Empire/data                 
  KillDate          False                                      
  WorkingHours      False                                  
  Headers           True        Server:Microsoft-IIS/7.5     
  Cookie            False       DZHzopOdCtko                 
  StagerURI         False                                       
  UserAgent         False       default                       
  Proxy             False       default                         
  ProxyCreds        False       default

5.Stager Config

Listener         True        <LISTENERS NAME>                 
 Language         True        powershell       
 StagerRetries    False       0                  
 OutFile          False                        
 Base64           True        True             
 Obfuscate        False       False             
 ObfuscateCommand False       Token\All\1       
 SafeChecks       True        True             
 UserAgent        False       default      
 Proxy            False       default             
 ProxyCreds       False       default        
 ScriptLogBypass  False       True           
 AMSIBypass       False       True         
 AMSIBypass2      False       False
@Gimpy42 Gimpy42 added the bug Something isn't working label Jun 19, 2020
@Cx01N Cx01N changed the title [BUG] [BUG] Azure Domain Fronting Issue Jun 23, 2020
@stormyordos
Copy link

stormyordos commented Jul 21, 2020
edited
Loading

So the explanation seems to be that the python code responsible for setting the "$customHeaders" variable in Start-Negotiate (listeners/http.ps1) tries to do two things at once : enabling multiple headers to be added to the requests, each one separated by a comma, and splitting each header by the colon character (as in "host:something.azureedge.net").
Unfortunately, it seems when there is only one custom header, the key/value pair is added with a comma separating them :
$customHeaders = "host, something.azureedge.net"

we first tried to change that comma back to a colon, and everything works. After digging deeper, it seems the fault lies in the code around line 597 in listeners/http.py:

         if customHeaders != []:
             for key in customHeaders:
                 value = key.split(":")
                 if 'cookie' in value[0].lower() and value[1]:
                      continue
                 remove += value
             #new statement, works
             headers = ':'.join(remove)
             # headers = ','.join(customHeaders)
             stager = stager.replace("$customHeaders = \"\";", "$customHeaders = \"" + headers + "\";")

Looks like our change is only a temporary one, as I think it breaks the multiple header option. But for now, we have a working Empire with domain fronting.

vinnybod pushed a commit that referenced this issue Sep 25, 2021
@Cx01N
Removed broken package pyminifier (#230)
dc8eb1a 
* removed broken package pyminifier

* updated change log
@luminougat luminougat mentioned this issue Mar 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinnybod vinnybod

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vinnybod @Gimpy42 @stormyordos