updating for forge support and fixing an upload bug

Author: its-a-feature

Payload_Type/apollo/CHANGELOG.MD

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.2.25] - 2025-01-30
+
+### Changed
+
+- Fixed a bug with upload if remote_path wasn't specified causing regex to break
+- Updated execute_coff to optionally take in a file at execution time to support forge
+- Updated execute_assembly to optionally take in a file at execution time to support forge
+- Updated inline_assembly to optionally take in a file at execution time to support forge
+
 ## [v2.2.24] - 2025-01-08
 
 ### Changed

Payload_Type/apollo/apollo/mythic/agent_functions/builder.py

@@ -21,7 +21,7 @@ class Apollo(PayloadType):
     supported_os = [
         SupportedOS.Windows
     ]
-    version = "2.2.24"
+    version = "2.2.25"
     wrapper = False
     wrapped_payloads = ["scarecrow_wrapper", "service_wrapper"]
     note = """

Payload_Type/apollo/apollo/mythic/agent_functions/execute_assembly.py

@@ -33,6 +33,17 @@ def __init__(self, command_line, **kwargs):
                     )
                 ],
             ),
+            CommandParameter(
+                name="assembly_file",
+                display_name="New Assembly",
+                type=ParameterType.File,
+                description="A new assembly to execute. After uploading once, you can just supply the assembly_name parameter",
+                parameter_group_info=[
+                    ParameterGroupInfo(
+                        required=True, group_name="New Assembly", ui_position=1,
+                    )
+                ]
+            ),
             CommandParameter(
                 name="assembly_arguments",
                 cli_name="Arguments",
@@ -43,6 +54,9 @@ def __init__(self, command_line, **kwargs):
                     ParameterGroupInfo(
                         required=False, group_name="Default", ui_position=2
                     ),
+                    ParameterGroupInfo(
+                        required=False, group_name="New Assembly", ui_position=2
+                    ),
                 ],
             ),
         ]
@@ -91,7 +105,7 @@ class ExecuteAssemblyCommand(CommandBase):
     cmd = "execute_assembly"
     needs_admin = False
     help_cmd = "execute_assembly [Assembly.exe] [args]"
-    description = "Executes a .NET assembly with the specified arguments. This assembly must first be known by the agent using the `register_assembly` command."
+    description = "Executes a .NET assembly with the specified arguments. This assembly must first be known by the agent using the `register_assembly` command or by supplying an assembly with the task."
     version = 3
     author = "@djhohnstein"
     argument_class = ExecuteAssemblyArguments
@@ -134,6 +148,47 @@ async def create_go_tasking(
             Success=True,
         )
         global EXEECUTE_ASSEMBLY_PATH
+        originalGroupNameIsDefault = taskData.args.get_parameter_group_name() == "Default"
+        if taskData.args.get_parameter_group_name() == "New Assembly":
+            fileSearchResp = await SendMythicRPCFileSearch(MythicRPCFileSearchMessage(
+                TaskID=taskData.Task.ID,
+                AgentFileID=taskData.args.get_arg("assembly_file")
+            ))
+            if not fileSearchResp.Success:
+                raise Exception(f"Failed to find uploaded file: {fileSearchResp.Error}")
+            if len(fileSearchResp.Files) == 0:
+                raise Exception(f"Failed to find matching file, was it deleted?")
+            searchedTaskResp = await SendMythicRPCTaskSearch(MythicRPCTaskSearchMessage(
+                TaskID=taskData.Task.ID,
+                SearchCallbackID=taskData.Callback.ID,
+                SearchCommandNames=["register_file"],
+                SearchParams=taskData.args.get_arg("assembly_file")
+            ))
+            if not searchedTaskResp.Success:
+                raise Exception(f"Failed to search for matching tasks: {searchedTaskResp.Error}")
+            if len(searchedTaskResp.Tasks) == 0:
+                # we need to register this file with apollo first
+                subtaskCreationResp = await SendMythicRPCTaskCreateSubtask(MythicRPCTaskCreateSubtaskMessage(
+                    TaskID=taskData.Task.ID,
+                    CommandName="register_file",
+                    Params=json.dumps({"file": taskData.args.get_arg("assembly_file")})
+                ))
+                if not subtaskCreationResp.Success:
+                    raise Exception(f"Failed to create register_file subtask: {subtaskCreationResp.Error}")
+
+            taskData.args.add_arg("assembly_name", fileSearchResp.Files[0].Filename)
+            taskData.args.remove_arg("assembly_file")
+
+        taskargs = taskData.args.get_arg("assembly_arguments")
+        if originalGroupNameIsDefault:
+            if taskargs == "" or taskargs is None:
+                response.DisplayParams = "-Assembly {}".format(
+                    taskData.args.get_arg("assembly_name")
+                )
+            else:
+                response.DisplayParams = "-Assembly {} -Arguments {}".format(
+                    taskData.args.get_arg("assembly_name"), taskargs
+                )
         taskData.args.add_arg("pipe_name", str(uuid4()))
         if not path.exists(EXEECUTE_ASSEMBLY_PATH):
             # create
@@ -153,17 +208,6 @@ async def create_go_tasking(
             raise Exception(
                 "Failed to register execute_assembly binary: " + file_resp.Error
             )
-
-        taskargs = taskData.args.get_arg("assembly_arguments")
-        if taskargs == "" or taskargs is None:
-            response.DisplayParams = "-Assembly {}".format(
-                taskData.args.get_arg("assembly_name")
-            )
-        else:
-            response.DisplayParams = "-Assembly {} -Arguments {}".format(
-                taskData.args.get_arg("assembly_name"), taskargs
-            )
-
         return response
 
     async def process_response(

Payload_Type/apollo/apollo/mythic/agent_functions/execute_coff.py

@@ -8,7 +8,7 @@
 import asyncio
 import platform
 
-if platform.system() == 'Windows':  
+if platform.system() == 'Windows':
     RUNOF_HOST_PATH= "C:\\Mythic\\Apollo\\srv\\RunOF.dll"
 else:
     RUNOF_HOST_PATH= "/srv/RunOF.dll"
@@ -34,6 +34,17 @@ def __init__(self, command_line, **kwargs):
                         ui_position=1
                     )
                 ]),
+            CommandParameter(
+                name="bof_file",
+                display_name="New Bof",
+                type=ParameterType.File,
+                description="A new bof to execute. After uploading once, you can just supply the coff_name parameter",
+                parameter_group_info=[
+                    ParameterGroupInfo(
+                        required=True, group_name="New", ui_position=1,
+                    )
+                ]
+            ),
             CommandParameter(
                 name="function_name",
                 cli_name="Function",
@@ -47,6 +58,11 @@ def __init__(self, command_line, **kwargs):
                         group_name="Default",
                         ui_position=2
                     ),
+                    ParameterGroupInfo(
+                        required=False,
+                        group_name="New",
+                        ui_position=2
+                    ),
                 ]),
             CommandParameter(
                 name="timeout",
@@ -61,6 +77,11 @@ def __init__(self, command_line, **kwargs):
                         group_name="Default",
                         ui_position=3
                     ),
+                    ParameterGroupInfo(
+                        required=False,
+                        group_name="New",
+                        ui_position=3
+                    ),
                 ]),
             CommandParameter(
                 name="coff_arguments",
@@ -82,11 +103,15 @@ def __init__(self, command_line, **kwargs):
                         group_name="Default",
                         ui_position=4
                     ),
+                    ParameterGroupInfo(
+                        required=False,
+                        group_name="New",
+                        ui_position=4
+                    ),
                 ]),
         ]
 
     async def get_arguments(self, arguments: PTRPCTypedArrayParseFunctionMessage) -> PTRPCTypedArrayParseFunctionMessageResponse:
-        argumentResponse = PTRPCTypedArrayParseFunctionMessageResponse(Success=True)
         argumentSplitArray = []
         for argValue in arguments.InputArray:
             argSplitResult = argValue.split(" ")
@@ -98,18 +123,19 @@ async def get_arguments(self, arguments: PTRPCTypedArrayParseFunctionMessage) ->
             value = value.strip("\'").strip("\"")
             if argType == "":
                 pass
-            elif argType == "int16" or argType == "-s":
+            elif argType == "int16" or argType == "-s" or argType == "s":
                 coff_arguments.append(["int16",int(value)])
-            elif argType == "int32" or argType == "-i":
+            elif argType == "int32" or argType == "-i" or argType == "i":
                 coff_arguments.append(["int32",int(value)])
-            elif argType == "string" or argType == "-z":
+            elif argType == "string" or argType == "-z" or argType == "z":
                 coff_arguments.append(["string",value])
-            elif argType == "wchar" or argType == "-Z":
+            elif argType == "wchar" or argType == "-Z" or argType == "Z":
                 coff_arguments.append(["wchar",value])
-            elif argType == "base64" or argType == "-b":
+            elif argType == "base64" or argType == "-b" or argType == "b":
                 coff_arguments.append(["base64",value])
             else:
-                return PTRPCTypedArrayParseFunctionMessageResponse(Success=False, Error=f"Failed to parse argument: {argument}: Unknown value type.")
+                return PTRPCTypedArrayParseFunctionMessageResponse(Success=False,
+                                                                   Error=f"Failed to parse argument: {argument}: Unknown value type.")
 
         argumentResponse = PTRPCTypedArrayParseFunctionMessageResponse(Success=True, TypedArray=coff_arguments)
         return argumentResponse
@@ -177,7 +203,7 @@ async def registered_runof(self, taskData: PTTaskMessageAllData) -> str:
         fileSearch = await SendMythicRPCFileSearch(MythicRPCFileSearchMessage(
             TaskID=taskData.Task.ID,
             Filename="RunOF.dll",
-            LimitByCallback=True,
+            LimitByCallback=False,
             MaxResults=1
         ))
         if not fileSearch.Success:
@@ -190,7 +216,7 @@ async def registered_runof(self, taskData: PTTaskMessageAllData) -> str:
                 Filename="RunOF.dll",
                 IsScreenshot=False,
                 IsDownloadFromAgent=False,
-                Comment=f"Shared RunOF.dll for all execute_coff tasks within Callback {taskData.Callback.DisplayID}"
+                Comment=f"Shared RunOF.dll for all execute_coff tasks within apollo"
             ))
             if fileRegister.Success:
                 return fileRegister.AgentFileId
@@ -199,33 +225,84 @@ async def registered_runof(self, taskData: PTTaskMessageAllData) -> str:
 
     async def create_go_tasking(self, taskData: PTTaskMessageAllData) -> PTTaskCreateTaskingMessageResponse:
         response = PTTaskCreateTaskingMessageResponse( TaskID=taskData.Task.ID, Success=True)
+        originalGroupNameIsDefault = taskData.args.get_parameter_group_name() == "Default"
+        if taskData.args.get_parameter_group_name() == "New":
+            fileSearchResp = await SendMythicRPCFileSearch(MythicRPCFileSearchMessage(
+                TaskID=taskData.Task.ID,
+                AgentFileID=taskData.args.get_arg("bof_file")
+            ))
+            if not fileSearchResp.Success:
+                raise Exception(f"Failed to find uploaded file: {fileSearchResp.Error}")
+            if len(fileSearchResp.Files) == 0:
+                raise Exception(f"Failed to find matching file, was it deleted?")
+            searchedTaskResp = await SendMythicRPCTaskSearch(MythicRPCTaskSearchMessage(
+                TaskID=taskData.Task.ID,
+                SearchCallbackID=taskData.Callback.ID,
+                SearchCommandNames=["register_file"],
+                SearchParams=taskData.args.get_arg("bof_file")
+            ))
+            if not searchedTaskResp.Success:
+                raise Exception(f"Failed to search for matching tasks: {searchedTaskResp.Error}")
+            if len(searchedTaskResp.Tasks) == 0:
+                # we need to register this file with apollo first
+                subtaskCreationResp = await SendMythicRPCTaskCreateSubtask(MythicRPCTaskCreateSubtaskMessage(
+                    TaskID=taskData.Task.ID,
+                    CommandName="register_coff",
+                    Params=json.dumps({"file": taskData.args.get_arg("bof_file")})
+                ))
+                if not subtaskCreationResp.Success:
+                    raise Exception(f"Failed to create register_file subtask: {subtaskCreationResp.Error}")
+
+            taskData.args.add_arg("coff_name", fileSearchResp.Files[0].Filename)
+            taskData.args.add_arg("loader_stub_id", taskData.args.get_arg("bof_file"))
+            taskData.args.remove_arg("bof_file")
+        else:
+            file_resp = await SendMythicRPCFileSearch(MythicRPCFileSearchMessage(TaskID=taskData.Task.ID, Filename=taskData.args.get_arg("coff_name")))
+            if file_resp.Success and len(file_resp.Files) > 0:
+                taskData.args.add_arg("loader_stub_id", file_resp.Files[0].AgentFileId)
+            else:
+                raise Exception("Failed to fetch uploaded file from Mythic (ID: {})".format(taskData.args.get_arg("coff_name")))
         registered_runof_id = await self.registered_runof(taskData)
         taskData.args.add_arg("runof_id", registered_runof_id)
-        file_resp = await SendMythicRPCFileSearch(MythicRPCFileSearchMessage(TaskID=taskData.Task.ID, Filename=taskData.args.get_arg("coff_name")))
-        if file_resp.Success and len(file_resp.Files) > 0:
-            taskData.args.add_arg("loader_stub_id", file_resp.Files[0].AgentFileId)
-        else:
-            raise Exception("Failed to fetch uploaded file from Mythic (ID: {})".format(taskData.args.get_arg("coff_name")))
-
         timeout = taskData.args.get_arg("timeout")
         if timeout is None or timeout == "":
             taskData.args.set_arg("timeout", "30")
 
         taskargs = taskData.args.get_arg("coff_arguments")
-        if taskargs == "" or taskargs is None:
-            response.DisplayParams = "-Coff {} -Function {} -Timeout {}".format(
-                taskData.args.get_arg("coff_name"),
-                taskData.args.get_arg("function_name"),
-                taskData.args.get_arg("timeout")
-            )
-        else:
-            response.DisplayParams = "-Coff {} -Function {} -Timeout {} -Arguments {}".format(
-                taskData.args.get_arg("coff_name"),
-                taskData.args.get_arg("function_name"),
-                taskData.args.get_arg("timeout"),
-                taskargs
-            )
+        if originalGroupNameIsDefault:
+            if taskargs == "" or taskargs is None:
+                response.DisplayParams = "-Coff {} -Function {} -Timeout {}".format(
+                    taskData.args.get_arg("coff_name"),
+                    taskData.args.get_arg("function_name"),
+                    taskData.args.get_arg("timeout")
+                )
+            else:
+                argsString = ""
+                normalizedArgs = []
+                for argEntry in taskargs:
+                    if argEntry[0] in ['s', 'int16']:
+                        argsString += f"-Arguments {argEntry[0]}:{argEntry[1]} "
+                        normalizedArgs.append(['s', argEntry[1]])
+                    elif argEntry[0] in ['i', 'int32']:
+                        argsString += f"-Arguments {argEntry[0]}:{argEntry[1]} "
+                        normalizedArgs.append(['i', argEntry[1]])
+                    elif argEntry[0] in ['z', 'string']:
+                        argsString += f"-Arguments {argEntry[0]}:\"{argEntry[1]}\" "
+                        normalizedArgs.append(['z', argEntry[1]])
+                    elif argEntry[0] in ['Z', 'wchar']:
+                        argsString += f"-Arguments {argEntry[0]}:\"{argEntry[1]}\" "
+                        normalizedArgs.append(['Z', argEntry[1]])
+                    else:
+                        argsString += f"-Arguments {argEntry[0]}:\"{argEntry[1]}\" "
+                        normalizedArgs.append(['b', argEntry[1]])
+                taskData.args.set_arg("coff_arguments", normalizedArgs)
 
+                response.DisplayParams = "-Coff {} -Function {} -Timeout {} {}".format(
+                    taskData.args.get_arg("coff_name"),
+                    taskData.args.get_arg("function_name"),
+                    taskData.args.get_arg("timeout"),
+                    argsString
+                )
         return response
 
     async def process_response(self, task: PTTaskMessageAllData, response: any) -> PTTaskProcessResponseMessageResponse: