Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-39197 PoC — HelpSystems Cobalt Strike 跨站脚本漏洞

Source
https://github.com/xzajyjs/CVE-2022-39197-POC
Associated Vulnerability
Title:HelpSystems Cobalt Strike 跨站脚本漏洞 (CVE-2022-39197)
Description:An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
Description
CVE-2022-39197(CobaltStrike XSS <=4.7) POC
Readme
# CVE-2022-39197-POC  

中文版本[README_CN.md](README_CN.md) 
  
---

## Vulnerability Intro
According to the [Update Log](https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/) of the latest version 4.7.1 officially released by CobaltStrike on 20 September, teamserver version(<=4.7) has XSS vulnerability, which can cause RCE.
> We were contacted by an independent researcher named "Beichendream" to inform us of an XSS vulnerability they found in the team's servers. This would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code RCE remotely.

---

## POC Intro

At present, this POC can only implement teamserver bomb pictures.
Integrated `CobaltStrikeParser` analysis tool to achieve one-stop online.

---

## Usage

For details, please turn to my [Chinese Blog](https://xzajyjs.cn/2022/09/23/CVE-2022-39197/)

![](https://serverless-page-bucket-lv779z7b-1307395653.cos.ap-shanghai.myqcloud.com/picgo/202209301113972.png)

```
pip3 install -r requirements.txt
python3 cve-2022-39197-poc.py -i http://172.16.12.2:3000/logo.png -b beacon.exe
```
![image-20220923210117698](https://serverless-page-bucket-lv779z7b-1307395653.cos.ap-shanghai.myqcloud.com/picgo/202209232101741.png)

---

## Reference code

https://github.com/Sentinel-One/CobaltStrikeParser
https://github.com/burpheart/CS_mock
File Snapshot

 [4.0K]  /data/pocs/37b763a001828d5bf66db2882cb8ad8d6d5ed466
├── [2.3K]  beacon_utils.py
├── [2.8K]  cve-2022-39197-poc.py
├── [ 25K]  parse_beacon_config.py
├── [1.4K]  README_CN.md
├── [1.3K]  README.md
└── [  55]  requirements.txt

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →