Notice: There is a serious security flaw in Cobalt Strike 3.5 and below (2.x is deprecated and assumed affected as well). Please read the advisory for more details.


Web Drive-by Exploit Server

Cobalt Strike's auto-exploit server simulates the behavior of web browser exploit kits. The auto-exploit server grabs a system profile, selects the best exploit, and directs the visitor to that exploit. To start the auto-exploit server, go to Attacks -> Web Drive-by -> Auto-Exploit Server.

The automatic exploitation feature requires two ports. One port is the control port, this is the port the Cobalt Strike web server runs from. The attack port is the port for the web server that serves the exploits.

When you start the auto-exploit server, you have the option to choose an exploit collection.

The default collection uses several reliable exploits that target Adobe Flash, Adobe Reader, Internet Explorer, and Java.

The Java collection uses Cobalt Strike's built-in Java exploits.

The safe to embed collection limits itself to exploits that succeed, even if their content is not visible to the user. Use the safe to embed collection if you will embed the auto-exploit server in a cloned website.

Press Launch to start the server.