CVE-2022-39197 PoC — HelpSystems Cobalt Strike 跨站脚本漏洞

Source

https://github.com/purple-WL/Cobaltstrike-RCE-CVE-2022-39197

Associated Vulnerability

Title:HelpSystems Cobalt Strike 跨站脚本漏洞 (CVE-2022-39197)
Description:An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).

Readme

Cobaltstrike RCE 漏洞CVE-2022-39197复现

漏洞简述

该漏洞存在于Cobalt Strike的Beacon软件中，可能允许攻击者在Beacon配置中设置格式错误的用户名，触发XSS，从而导致在CS服务端上造成远程代码执行。

截图：
<img width="1280" alt="image" src="https://user-images.githubusercontent.com/63894044/192103980-08cda95c-6b6c-4ae8-ab54-28c28c8c1314.png">

获取NTLMv2-SSP Hash，前提是Cobalt Strike在Windows运行

<img width="519" alt="image" src="https://user-images.githubusercontent.com/63894044/192104044-ca103ccd-e9dd-4a71-913f-5a9bacb695c5.png">

参考：

https://www.freebuf.com/vuls/345522.html

https://mp.weixin.qq.com/s?__biz=MzI5Nzc3NDEyNA==&mid=2247483757&idx=1&sn=2397d14549520bac3bd7bec10d433db3&chksm=ecaebc2edbd9353803e2a3f0f5f906121db63e30e76c58654169656e9e40d5c8b5b0e8b80813&token=1380424937&lang=zh_CN#rd

https://forum.butian.net/share/708

https://github.com/Sentinel-One/CobaltStrikeParser

https://github.com/LiAoRJ/CS_fakesubmit

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →