CobaltSpam
Tool based on CobaltStrikeParser from SentinelOne which can be used to DoS a CobaltStrike TeamServer (4.2 or 4.3) leveraging CVE-2021-36798 (HotCobalt) discovered by SentinelOne
Description
Use exploit.py
to start spamming a server with malicious tasks
Usage
usage: exploit.py [-h] [-u URL | -f FILE]
optional arguments:
ptional arguments:
-h, --help show this help message and exit
-u URL, --url URL Target a single URL
-f FILE, --file FILE Read targets from text file - One CS server per line
--print_config PRINT_CONFIG
Print the beacon config
--use_tor USE_TOR Should tor be used to connect to target?
--publish_to_threatfox PUBLISH_TO_THREATFOX
Publish your findings to ThreatFox
--parse_only PARSE_ONLY
Only download beacon and parse it without spamming
--max_hits MAX_HITS Send maximum amount of exploit attempts (0 for endless) Default is 200
Note
You might want to use a tool like TorghostNG on your VM to hide your real IP or use Whonix
Prerequisites
Please install Tor before using this script and make sure it is running and listening on Port 9050
Afterwards install the following package:
pip install PySocks
pip install stem
pip install requests
Please follow these steps to make sure this script is able to change the TOR IP programmatically
$ tor --hash-password MyStr0n9P#D
16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC
Add this value to /etc/torrc
(Path may vary depending on our distribution) for the value HashedControlPassword
so it reads
HashedControlPassword 16:160103B8D7BA7CFA605C9E99E5BB515D9AE71D33B3D01CE0E7747AD0DC
Afterwards uncomment the line
ControlPort 9051
Restart your tor service:
$ sudo service tor restart
Finally add your hash-password (In this example MyStr0n9P#D) to spam_utils.py as "tor_password"
Disclaimer
While this should be clear, this tool should be used only against infrastructure you own. Don't mess with systems you don't own!