A remote unauthenticated DOS POC exploit that targets the authentication implementation of Havoc. In a recent collaborative project, my good friend (@S3lrius on Twitter) and I identified a significant unauthenticated remote denial of service (DoS) vulnerability within the Havoc C2 framework.
以 Havoc 的身份验证实现为目标的未经身份验证的远程 DOS POC 漏洞。在最近的一个合作项目中,我和我的好朋友(在 Twitter 上@S3lrius)在 Havoc C2 框架中发现了一个重大的未经身份验证的远程拒绝服务 (DoS) 漏洞。

Our investigation began with an analysis of potential attack surfaces within the framework's operator authentication process. Using the publicly available source code, we conducted a series of fuzzing sessions, which are critical for uncovering security flaws.

The vulnerability was discovered when we observed that a malformed input—a simple string sent as bytes—could lead to a server crash. This was due to the server's inability to handle inputs that did not adhere to the expected structured format, including fields such as a body, event, and username. Ideally can this exploit be operational? Well yes and no because a lazy threat actor where their infrastructure is out there and fingerprinted and actively attacking your organization you can disrupt their whole infrastructure and connected implants within your or any other organizations networks, however any decent offensive group will 1, seal and secure their teamserver, put the effort to setup redirectors and clean up any and all fingerprint opportunities that havoc is signatured on from a probing tool.
当我们观察到格式错误的输入(作为字节发送的简单字符串)可能导致服务器崩溃时,发现了该漏洞。这是由于服务器无法处理不符合预期结构化格式的输入,包括正文、事件和用户名等字段。理想情况下,此漏洞可以运行吗?嗯,是的,也不是,因为一个懒惰的威胁行为者,他们的基础设施在那里,指纹识别并积极攻击你的组织,你可以破坏他们的整个基础设施和你或任何其他组织网络内的连接植入物,但是任何体面的进攻组织都会 1,密封和保护他们的团队服务器,努力设置重定向器并清理任何和所有指纹机会,这些机会是由探测工具签署的。

By crafting a quick proof of concept piece of code that established a connection to the server and sent the malformed input, we were able to consistently reproduce the crash. This vulnerability, which worked for several months, underscores the essential nature of thorough security protocols and validation checks in software development. I do want to say that unfortunately some how some way we were unable to reproduce this crash again, after looking back at the code we seen another authentication bypass was found and Paul the author of the framework patched it, and I believe during that patch ours was patched as well!
通过制作一个快速的概念验证代码片段,建立与服务器的连接并发送格式错误的输入,我们能够始终如一地重现崩溃。这个漏洞已经持续了几个月,凸显了软件开发中彻底的安全协议和验证检查的本质。我确实想说,不幸的是,在某种程度上我们无法再次重现此崩溃,在回顾代码后,我们看到发现了另一个身份验证绕过,框架的作者 Paul 修补了它,我相信在那个补丁期间,我们的补丁也被修补了!

I would like to extend my gratitude to Paul, the author of Havoc (@C5pider on Twitter), for his open-source contribution to the community and his support in our responsible disclosure of this vulnerability which we did ask for permission to disclose. This cooperative spirit is a cornerstone of advancing and protecting not only the defensive solutions out there such as EDRs but also our great tooling in the offensive cybersecurity field.
我要感谢 Havoc(Twitter 上@C5pider)的作者 Paul,感谢他对社区的开源贡献,以及他对我们负责任地披露此漏洞的支持,我们确实要求允许披露该漏洞。这种合作精神不仅是推进和保护 EDR 等防御性解决方案的基石,也是我们在进攻性网络安全领域的出色工具的基石。

Further technical details and insights from our research can be discussed by simply sending me a message. Keep hacking and cheers!

Usage 用法

# Installing the requirements
pip install -r requirements.txt

# Running the exploit
./exploit.py -t teamserverip -p port

# Example
./exploit.py -t -p 2000

-t Is Havoc's server hostname or IP.
-t 是 Havoc 的服务器主机名或 IP。

-p Is Havoc's team server port (default port is 40056).
-p 是 Havoc 的团队服务器端口(默认端口为 40056)。



版权声明:admin 发表于 2023年11月21日 下午10:30。
转载请注明:HavocExploit | CTF导航