Exploit for Improper Encoding or Escaping of Output in Apache Http Server CVE-2024-38475

Name: Exploit for Improper Encoding or Escaping of Output in Apache Http Server CVE-2024-38475
Rating: 5 (184 reviews)
2025-05-07 | CVSS 9.1
## https://sploitus.com/exploit?id=5418A85B-F4B7-5BBD-B106-0800AC961C7A
# CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC

Author: **abrewer251**

A proof-of-concept tool for testing CVE-2024-38475 ("SonicBoom") Apache URL traversal vulnerability. This script automates TLS negotiation, directory scanning, traversal verification, and payload fuzzing to identify unauthorized file access.

## Description

This repository contains a Python script (`poc.py`) that:

1. Negotiates the highest supported TLS/SSL protocol with the target.
2. Verifies generic directory traversal behavior.
3. Scans a directory wordlist for 403-protected directories.
4. Confirms traversal vulnerability per-directory.
5. Fuzzes file paths using custom payloads to detect real leaks.
6. Logs results to a specified output file.

This PoC helps security researchers and pen-testers rapidly validate the SonicBoom URL traversal flaw in Apache servers.

## Prerequisites

* **Python**: 3.6 or higher
* **Dependencies**:

  * `requests`

Install dependencies via pip:

```
pip install -r requirements.txt
```

> **Note**: `requirements.txt` should contain:
>
> ```
> requests
> ```

## Installation

1. Clone the repository:
```
git clone https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC.git
cd CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
```
2. Make the script executable (optional):
```
chmod +x poc.py
```

## Run autoCurl.py to find out if PUT is a method allowed by the endpoint before continuing

## Usage of poc.py

```
python3 poc.py [OPTIONS]
```

### Required Argument

* `--schema`   Protocol to use (`http` or `https`)
* `--host`       Target host or IP
* `--port`       Target port
* `--directory-wordlist`  Path to directory wordlist file
* `--file-wordlist`    Path to file wordlist file
* `--output`       Path to write results to

### Optional Flags

| Flag                      | Description                                      | Default      |
| ------------------------- | ------------------------------------------------ | ------------ |
| `-p`, `--payloads` <list> | URL-encoded payloads to append (space-separated) | `%3f %3Fany` |
| `-h`, `--help`            | Show help message                                | —            |

## Examples

````
python3 poc.py \
  --schema https \
  --host 192.0.2.10 \
  --port 8443 \
  --directory-wordlist dirs.txt \
  --file-wordlist files.txt \
  --payloads "%2e%2e/" "%2e%2e%5C" \
  --output findings.log
````

## Output Details

The output file contains a line-by-line log of each test stage:

* **\[1/6] Negotiating TLS version negotiated
* **\[TRAVERSAL OK]** for successful generic traversal
* **\[403]** entries for protected directories found
* **\[TRAVERSAL OK] \<dir>** for per-directory traversal verification
* **\[200]** lines for actual file leaks discovered
* Final status line: `Done. Results saved to <output>`

Each log entry follows the format:

```
[Stage] Message or status
```

## License

Released under the MIT License. See [LICENSE](LICENSE) for details.