CVE-2021-36798 PoC — Helpsystems HelpSystems Cobalt Strike 安全漏洞

Source

https://github.com/sponkmonk/CobaltSploit

Associated Vulnerability

Title:Helpsystems HelpSystems Cobalt Strike 安全漏洞 (CVE-2021-36798)
Description:Helpsystems HelpSystems Cobalt Strike是美国HelpSystems（Helpsystems）公司的一个渗透测试软件。 HelpSystems Cobalt Strike 4.2 和 4.3 的 Team Server 中存在安全漏洞，该漏洞允许远程攻击者使 C2 服务器线程崩溃并阻止信标与其通信。

Description

Tool which leverages CVE-2021-36798 (HotCobalt) and related work from SentinelOne to DoS CobaltStrike 4.2 and 4.3 servers

Readme

# CobaltSpam
Tool based on [CobaltStrikeParser](https://github.com/Sentinel-One/CobaltStrikeParser) from SentinelOne which can be used to DoS a CobaltStrike TeamServer (4.2 or 4.3) leveraging CVE-2021-36798 (HotCobalt) discovered by SentinelOne

![alt text](https://github.com/hariomenkel/CobaltSploit/raw/main/CS.PNG)

## Description
Use `exploit.py` to start spamming a server with malicious tasks

## Usage
```
usage: exploit.py [-h] [-u URL | -f FILE]

optional arguments:
ptional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target a single URL
  -f FILE, --file FILE  Read targets from text file - One CS server per line
  --print_config PRINT_CONFIG
                        Print the beacon config
  --use_tor USE_TOR     Should tor be used to connect to target?
  --publish_to_threatfox PUBLISH_TO_THREATFOX
                        Publish your findings to ThreatFox
  --parse_only PARSE_ONLY
                        Only download beacon and parse it without spamming
  --max_hits MAX_HITS   Send maximum amount of exploit attempts (0 for endless) Default is 200
```

## Note
You might want to use a tool like [TorghostNG](https://github.com/GitHackTools/TorghostNG) on your VM to hide your real IP or use [Whonix](https://www.whonix.org/)

# Prerequisites
Please install Tor before using this script and make sure it is running and listening on Port 9050

Afterwards install the following package:<BR>
<BR>
`pip install PySocks`<BR>
`pip install stem`<BR>
`pip install requests`<BR>
<BR>  
Please follow these steps to make sure this script is able to change the TOR IP programmatically<BR>
<BR>
`$ tor --hash-password MyStr0n9P#D`<BR>
`16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC`<BR>
<BR>
Add this value to `/etc/torrc` (Path may vary depending on our distribution) for the value `HashedControlPassword` so it reads<BR>
`HashedControlPassword 16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC`<BR>
<BR>
Afterwards uncomment the line<BR>
`ControlPort 9051`<BR>
Restart your tor service:
<BR>
`$ sudo service tor restart`
<BR>
Finally add your hash-password (In this example MyStr0n9P#D) to spam_utils.py as "tor_password"

## Disclaimer
While this should be clear, this tool should be used only against infrastructure you own. Don't mess with systems you don't own!

File Snapshot


 [4.0K]  /data/pocs/55e2eab724c89bc81bb5a1695c92fe696e776614
├── [2.3K]  beacon_utils.py
├── [4.8K]  CobaltBlock.py
├── [9.9K]  comm.py
├── [198K]  CS.PNG
├── [ 19K]  exploit.py
├── [ 34K]  first-names.txt
├── [679K]  last-names.txt
├── [ 20K]  LICENSE.md
├── [ 25K]  parse_beacon_config.py
├── [2.3K]  README.md
├── [ 116]  requirements.txt
├── [3.6K]  spam_utils.py
├── [2.0K]  test_parse_beacon_config.py
└── [1.4M]  top-100k.txt

0 directories, 14 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!