search

D00Movenok / BounceBack

↕️🤫 Stealth redirector for your red team operation security
MIT License
627 stars 68 forks source link

Issues while parsing malleable c2 when string contains only numbers #6

Closed zufukatana closed 1 year ago

zufukatana commented 1 year ago

coundnt parse the malleable c2 with sleep mask token set to 11, couldnt reconize some new params in new profile params. any sample profile to test with? so i can try to tweak maybe ?

D00Movenok commented 1 year ago

Hi there! The latest supported version of Cobalt Strike Malleable C2 profiles is 4.8 for now.

BounceBack uses this library for parsing Malleable C2 profiles. This profile was used as a test data for this library, so you may try it by yourself with BounceBack.

Searching in Malleable Command and Control and Malleable PE, Process Injection, and Post Exploitation sections of official documentation for "sleep mask token" did not give any result, so please provide a link to documentation for this param in profile.

Also it will be nice of you to provide me some verbose logging you get when trying to parse your profile and your profile itself.

zufukatana commented 1 year ago

those for example are not parsed and make bouncebak complains about them:

set create_remote_thread "true"; # Allow beacon to create threads in other processes set hijack_remote_thread "true"; # Allow beacon to run jobs by hijacking the primary thread of a suspeneded process

Steal Token

set steal_token_access_mask "11";

those make bounceback compalins and crashing, unable to parse them, there is more params that are unhandled and parsed also.

D00Movenok commented 1 year ago

Yeah, found that goMalleable lib throws an error, when a string field contains only numbers, so fixing it will fix an error with "steal_token_access_mask" (already fixed it). Please check that it works for you.

Other params like "create_remote_thread" and "hijack_remote_thread" was only added in CobaltStrike 4.9 (nope, they have been removed in 3.12, see releasenotes of CS), which is now not supported by BounceBack, but will be supported soon. So just remove unsupported new params from your profile when using it with BounceBack.

If you have other headers, that was added in CS 4.8 and older, that causes errors, please, report them here. If no, please, close the issue.

zufukatana commented 1 year ago

ok i'll test it and keep you up to date thanks for the answer :)

D00Movenok commented 1 year ago

Any updates? If you tested it already, I will close the issue.

D00Movenok commented 1 year ago

Close because of no updates and existing fix