Skip to content
/ Havoc-C2-RCE-2024 Public

Abusing SSRF to deliver an authenticated command injection payload

29 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Nicolas-Arsenault/Havoc-C2-RCE-2024

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
README.md
README.md
 
 
poc.py
poc.py
 
 
requirements.txt
requirements.txt
 
 
test.sh
test.sh
 
 

Repository files navigation

Authenticated Havoc-Chained-RCE

(CVE-2024-41570)

https://x.com/Lrdvile/status/1881100754271994212

Command injection: Havoc is vulnerable to command injection enabling an authenticated user to execute commands on the Teamserver. Affects versions 0.3 up to the latest release 0.6. Havoc's default profile contains hardcoded passwords, so a C2 operator careless enough to use the default profile on a public network can immediately be exploited.

SSRF: This vulnerability is exploited by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.

Chain: Abusing SSRF to deliver an authenticated command injection payload

Usage

  • Modify the IP, USER and PASSWORD in the poc.py
  • Modify IP in test.sh
  • Start a python3 listener
  • Run the script. (-i is for the internal ip and -p is for the internal port you are accessing for the web socket)

pip3 install -r requirements.txt

python3 poc.py -t https://example.com -i 127.0.0.1 -p 10000

image

Credits

This is not all my doing.

Credits to @chebuya and @Hyperreality

About

Abusing SSRF to deliver an authenticated command injection payload

Resources

Readme
Activity

Stars

29 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages