cobaltstrike 3.13

发表于

这个东西我也不是经常使用偶尔会用用
最近3.13放出来了正好有时间就随便看看
3.13官方去除了之前的空格指纹 

1
2
3
4
5
6
common/License.class 验证
aggressor/dialogs/ListenerDialog.class 去除listener个数限制
一些指纹的去除
common/ArtifactUtils.class xor修改添加
resources/xor.bin 添加xor.bin文件
resources/xor64.bin  添加xor64.bin文件

首先是License.class的验证破解

1
2
3
4
//改成这样
public static boolean isTrial() {
        return false;
    }

至于checkLicenseConsole,checkLicenseGUI随意

listener个数限制

aggressor/dialogs/ListenerDialog.class

1
2
3
else if (Listener.isEgressBeacon(payload) && DataUtils.isBeaconDefined(this.datal) && !name.equals(DataUtils.getEgressBeaconListener(this.datal))) {
            DialogUtils.showError("You may only define one egress Beacon per team server.\nThere are a few things I need to sort before you can\nput multiple Beacon HTTP/DNS listeners on one server.\nSpin up a new team server and add your listener there.");
        }

把这个删了

common.ListenerConfig

1
result.append("5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\u0000");

把这个改了

resources/template.x64.ps1、resources/template.x86.ps1

1
$eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

同样改掉

server.ProfileEdits

1
2
3
4
5
c2profile.addCommand(".http-get.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".http-post.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".http-stager.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".stage.transform-x86", "append", "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".stage.transform-x64", "append", "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");

删掉

common/WebTransforms.class

之前的空格指纹作者虽然删了但又跑到这里加上了

1
response.status += " ";

直接删掉这句

common/ArtifactUtils.class

cs xor编码功能试用版没有此功能也没有xor.bin xor64.bin但可以加上

感谢此项目https://github.com/verctor/CS_xor64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public class ArtifactUtils extends BaseArtifactUtils
{
    public ArtifactUtils(final AggressorClient client) {
        super(client);
    }
    
    public static byte[] _XorEncode(final byte[] data, final String arch) {
        return data;
    }
    
    public static byte[] XorEncode(final byte[] data, final String arch) {
        if (License.isTrial()) {
            CommonUtils.print_trial("Disabled " + arch + " payload stage encoding.");
        }
        return data;
    }
}

这里看3.13最终版吧原来的代码有问题而且不仅要改这里

别忘了添加xor.bin和xor64.bin到resources
https://github.com/WBGlIl/CobaltStrike-xor

回编译java时直接javac -cp cobaltstrike.jar name.java就行然后把class文件拖到cobaltstrike.jar里面替换掉对应的文件
cobaltstrike启动命令

1
javaw -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512m -Xmx1024m -jar cobaltstrike.jar