Share
## https://sploitus.com/exploit?id=85E46D83-4452-516A-A7B1-E0F9AAE0CACA
# CVE-2024-41570: Havoc-C2-SSRF-poc
This vulnerability is exploited by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.

Full analysis: https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/

https://github.com/user-attachments/assets/9ab99915-8a8c-4bbd-b762-00280a23703c

To hotpatch your teamserver:

1) Navigate to the Havoc directory
2) Run the command
```bash
sed -i '/case COMMAND_SOCKET:/,/return true/d' teamserver/pkg/agent/agent.go
```
3) Rebuild the teamserver
```bash
make ts-build
```

```
usage: exploit.py [-h] -t TARGET -i IP -p PORT [-A USER_AGENT] [-H HOSTNAME] [-u USERNAME] [-d DOMAIN_NAME]
                  [-n PROCESS_NAME] [-ip INTERNAL_IP]

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        The listener target in URL format
  -i IP, --ip IP        The IP to open the socket with
  -p PORT, --port PORT  The port to open the socket with
  -A USER_AGENT, --user-agent USER_AGENT
                        The User Agent for the spoofed agent
  -H HOSTNAME, --hostname HOSTNAME
                        The hostname for the spoofed agent
  -u USERNAME, --username USERNAME
                        The username for the spoofed agent
  -d DOMAIN_NAME, --domain-name DOMAIN_NAME
                        The domain name for the spoofed agent
  -n PROCESS_NAME, --process-name PROCESS_NAME
                        The process name for the spoofed agent
  -ip INTERNAL_IP, --internal-ip INTERNAL_IP
                        The internal ip for the spoofed agent
```