A remote unauthenticated DOS POC exploit that targets the authentication implementation of Havoc. In a recent collaborative project, my good friend (@S3lrius on Twitter) and I identified a significant unauthenticated remote denial of service (DoS) vulnerability within the Havoc C2 framework.
Our investigation began with an analysis of potential attack surfaces within the framework's operator authentication process. Using the publicly available source code, we conducted a series of fuzzing sessions, which are critical for uncovering security flaws.
The vulnerability was discovered when we observed that a malformed input—a simple string sent as bytes—could lead to a server crash. This was due to the server's inability to handle inputs that did not adhere to the expected structured format, including fields such as a body, event, and username. Ideally can this exploit be operational? Well yes and no because a lazy threat actor where their infrastructure is out there and fingerprinted and actively attacking your organization you can disrupt their whole infrastructure and connected implants within your or any other organizations networks, however any decent offensive group will 1, seal and secure their teamserver, put the effort to setup redirectors and clean up any and all fingerprint opportunities that havoc is signatured on from a probing tool.
By crafting a quick proof of concept piece of code that established a connection to the server and sent the malformed input, we were able to consistently reproduce the crash. This vulnerability, which worked for several months, underscores the essential nature of thorough security protocols and validation checks in software development. I do want to say that unfortunately some how some way we were unable to reproduce this crash again, after looking back at the code we seen another authentication bypass was found and Paul the author of the framework patched it, and I believe during that patch ours was patched as well!
I would like to extend my gratitude to Paul, the author of Havoc (@C5pider on Twitter), for his open-source contribution to the community and his support in our responsible disclosure of this vulnerability which we did ask for permission to disclose. This cooperative spirit is a cornerstone of advancing and protecting not only the defensive solutions out there such as EDRs but also our great tooling in the offensive cybersecurity field.
# Installing the requirements pip install -r requirements.txt # Running the exploit ./exploit.py -t teamserverip -p port # Example ./exploit.py -t 127.0.0.1 -p 2000
-t Is Havoc's server hostname or IP.
-p Is Havoc's team server port (default port is 40056).