Merge pull request #776 from BC-SECURITY/release/6.0.2

vinnybod · web-flow · commit d6b60016c6bc · 2025-04-06T20:02:06.000-07:00
v6.0.2 into main
diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml
@@ -140,7 +140,7 @@ jobs:
       # To save CI time, only run these tests when the install script or deps changed
       - name: Get changed files using defaults
         id: changed-files
-        uses: tj-actions/changed-files@v46.0.1
+        uses: tj-actions/changed-files@v46.0.3
       - name: Build images
         if: contains(steps.changed-files.outputs.modified_files, 'setup/install.sh')
           || contains(steps.changed-files.outputs.modified_files, 'poetry.lock')
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.0.2] - 2025-04-07
+
+-   Fixed issue where C# modules on powershell agent would be improperly formatted
+-   Fixed SharpWMI argument errors when using escaped quotes
+-   Updated result parser on SharpWMI to not use StreamWriter due to messing up results
+
 ## [6.0.1] - 2025-04-03
 
 ### Fixed
@@ -1088,7 +1094,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Updated shellcoderdi to newest version (@Cx01N)
 -   Added a Nim launcher (@Hubbl3)
 
-[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.1...HEAD
+[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.2...HEAD
+
+[6.0.2]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.1...v6.0.2
 
 [6.0.1]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.0...v6.0.1
 
diff --git a/empire/server/common/empire.py b/empire/server/common/empire.py
@@ -34,7 +34,7 @@
 if TYPE_CHECKING:
     from socket import SocketIO
 
-VERSION = "6.0.1 BC Security Fork"
+VERSION = "6.0.2 BC Security Fork"
 
 log = logging.getLogger(__name__)
 
diff --git a/empire/server/data/agent/agent.ps1 b/empire/server/data/agent/agent.ps1
@@ -1213,31 +1213,31 @@ function Invoke-Empire {
 
                     $scriptString = {
                         param($pipeServerStream, $ps, $task)
-                            try
-                            {
-                                $outputCollector = [Text.StringBuilder]::new()
-                                $streamReader = New-Object System.IO.StreamReader($pipeServerStream)
-                                $readyMessage = $streamReader.ReadLine()
-                                $buffer = [char[]]::new($pipeServerStream.InBufferSize)
-
-                                if ($readyMessage -eq "ready") {
-                                    while ($read = $streamReader.Read($buffer, 0, $buffer.Length)) {
-                                        $outputChunk = (-join $buffer[0..($read - 1)])
-
-                                        [void]$outputCollector.AppendLine($outputChunk)
+                        try {
+                            $outputCollector = [Text.StringBuilder]::new()
+                            $streamReader = New-Object System.IO.StreamReader($pipeServerStream)
+                            $readyMessage = $streamReader.ReadLine()
+                            $buffer = [char[]]::new($pipeServerStream.InBufferSize)
 
-                                        $output = $outputCollector.ToString().TrimEnd()
-                                        if (-not [string]::IsNullOrWhiteSpace($output)) {
-                                            $output
-                                        }
-                                        [void]$outputCollector.Clear()
+                            if ($readyMessage -eq "ready") {
+                                while ($read = $streamReader.Read($buffer, 0, $buffer.Length)) {
+                                    if ($read -gt 0) {
+                                        $outputChunk = -join $buffer[0..($read - 1)]
+                                        [void]$outputCollector.Append($outputChunk)
                                     }
                                 }
+
+                                # Send full output after pipe closes
+                                $output = $outputCollector.ToString().TrimEnd()
+                                if (-not [string]::IsNullOrWhiteSpace($output)) {
+                                    $output
+                                }
                             }
-                            finally {
-                                $ps.EndInvoke($task)
-                                $script:tasks[$ResultID]['status'] = 'completed';
-                            }
+                        }
+                        finally {
+                            $ps.EndInvoke($task)
+                            $script:tasks[$ResultID]['status'] = 'completed';
+                        }
                     }
 
                     $AppDomain = [AppDomain]::CreateDomain($ResultID);
diff --git a/empire/server/modules/csharp/situational_awareness/SharpWMI.yaml b/empire/server/modules/csharp/situational_awareness/SharpWMI.yaml
@@ -44,111 +44,65 @@ csharp:
     {
         private static byte originalByte;
 
-        public static Stream OutputStream { get; set; }
-
         public static void Main(string[] args)
         {
-            using (StringWriter stringWriter = new StringWriter())
-            {
-                TextWriter originalOutput = Console.Out;
-                TextWriter originalError = Console.Error;
-
-                StreamWriter outputStreamWriter = null;
-                if (OutputStream != null)
-                {
-                    outputStreamWriter = new StreamWriter(OutputStream);
-                    outputStreamWriter.AutoFlush = true;
-                }
-
-                PatchEnvironmentExit();
-
-                try
-                {
-                    MultiTextWriter multiWriter = new MultiTextWriter(stringWriter, outputStreamWriter);
-                    Console.SetOut(multiWriter);
-                    Console.SetError(multiWriter);
-
-                    string allArgs = string.Join(" ", args);
-                    string[] splitArgs = Regex.Matches(allArgs, @"[^\s""=]+=""[^""]*""|[^\s""=]+=[^\s]+")
-                                              .Cast<Match>()
-                                              .Select(m => m.Value.Replace("= ", "="))  // Fix any accidental spaces after `=`
-                                              .ToArray();
-
-                    for (int i = 0; i < splitArgs.Length; i++)
-                    {
-                        if (splitArgs[i].StartsWith("query="))
-                        {
-                            splitArgs[i] = splitArgs[i].Replace("\"", "");
-                        }
-                    }
-
-                    foreach (string arg in splitArgs)
-                    {
-                        Console.WriteLine($"[>] Argument: {arg}");
-                    }
-
-                    typeof(SharpWMI.Program).GetMethod("Main", BindingFlags.NonPublic | BindingFlags.Static)
-                                   .Invoke(null, new object[] { splitArgs });
-                }
-                catch (Exception ex)
-                {
-                    stringWriter.WriteLine($"Error: {ex.Message}");
-                    if (ex.InnerException != null)
-                    {
-                        stringWriter.WriteLine($"Inner Exception: {ex.InnerException.GetType().FullName}: {ex.InnerException.Message}");
-                    }
-                }
-                finally
-                {
-                    Console.SetOut(originalOutput);
-                    Console.SetError(originalError);
-
-                    if (outputStreamWriter != null)
-                    {
-                        outputStreamWriter.Flush();
-                        outputStreamWriter.Close();
-                    }
-                    Console.WriteLine(stringWriter.ToString());
-                }
-            }
-        }
-
-        private class MultiTextWriter : TextWriter
-        {
-            private readonly TextWriter _writer1;
-            private readonly TextWriter _writer2;
-
-            public MultiTextWriter(TextWriter writer1, TextWriter writer2)
-            {
-                _writer1 = writer1;
-                _writer2 = writer2;
-            }
-
-            public override Encoding Encoding
-            {
-                get
-                {
-                    return _writer1?.Encoding ?? Encoding.UTF8;
-                }
-            }
-
-            public override void Write(char value)
-            {
-                _writer1?.Write(value);
-                _writer2?.Write(value);
-            }
-
-            public override void Write(string value)
-            {
-                _writer1?.Write(value);
-                _writer2?.Write(value);
-            }
-
-            public override void Flush()
-            {
-                _writer1?.Flush();
-                _writer2?.Flush();
-            }
+              PatchEnvironmentExit();
+
+              try
+              {
+                  Console.WriteLine("\n[DEBUG] Original args (before normalization):");
+                  for (int i = 0; i < args.Length; i++)
+                  {
+                      Console.WriteLine($"  args[{i}]: '{args[i]}'");
+                  }
+
+                  // Normalize double-double quotes ("") to single quotes (")
+                  string normalizedArgs = args[0].Replace("\"\"", "\"");
+
+                  Console.WriteLine("\n[DEBUG] Normalized args:");
+                  Console.WriteLine($"  '{normalizedArgs}'");
+
+                  // Now properly split arguments
+                  string[] manuallySplitArgs = Regex.Matches(normalizedArgs, @"[^\s=]+=""[^""]*""|[^\s=]+=[^\s""]+")
+                                                    .Cast<Match>()
+                                                    .Select(m => m.Value)
+                                                    .ToArray();
+
+                  Console.WriteLine("\n[DEBUG] Manually split args:");
+                  for (int i = 0; i < manuallySplitArgs.Length; i++)
+                  {
+                      Console.WriteLine($"  manuallySplitArgs[{i}]: '{manuallySplitArgs[i]}'");
+                  }
+
+                  // Parse key-value pairs explicitly
+                  var parsedArgs = manuallySplitArgs.Select(arg =>
+                  {
+                      int idx = arg.IndexOf('=');
+                      if (idx > -1)
+                      {
+                          string key = arg.Substring(0, idx);
+                          string val = arg.Substring(idx + 1).Trim('"');
+                          return $"{key}={val}";
+                      }
+                      return arg;
+                  }).ToArray();
+
+                  Console.WriteLine("\n[DEBUG] Parsed Arguments:");
+                  foreach (string arg in parsedArgs)
+                  {
+                      Console.WriteLine($"[>] Argument: {arg}");
+                  }
+
+                  // Finally invoke SharpWMI
+                  typeof(SharpWMI.Program)
+                      .GetMethod("Main", BindingFlags.NonPublic | BindingFlags.Static)
+                      .Invoke(null, new object[] { parsedArgs });
+
+              }
+              catch (Exception ex)
+              {
+                  Console.WriteLine($"Error: {ex.Message}");
+              }
         }
 
         private static void PatchEnvironmentExit()
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "empire-bc-security-fork"
-version = "6.0.1"
+version = "6.0.2"
 description = ""
 authors = ["BC Security <info@bc-security.org>"]
 readme = "README.md"
