CVE-2017-9798 PoC — Apache HTTP Server 资源管理错误漏洞

Source

https://github.com/brokensound77/OptionsBleed-POC-Scanner

Associated Vulnerability

Title:Apache HTTP Server 资源管理错误漏洞 (CVE-2017-9798)
Description:Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Description

OptionsBleed (CVE-2017-9798) PoC / Scanner

Readme

# OptionsBleed-POC-Scanner
OptionsBleed (CVE-2017-9798) PoC / Scanner

More information coming soon...

## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

## Usage

`pip install -r requirements.txt`


```
usage: bleeder.py [-h] [-c COUNT] [-f {option,custom}] [-tc THREAD_COUNT] [-nv] [-ni] [-v] [-e] url

positional arguments:
  url                   full URL (including http(s)) to be scanned

optional arguments:
  -h, --help            show this help message and exit
  -c COUNT, --count COUNT
                        number of times to scan (default: 1000)
  -f {option,custom}, --force {option,custom}
                        forces the scan to attempt using custom verb method
                        OR OPTIONS (default: try OPTIONS THEN custom)
  -tc THREAD_COUNT, --thread-count THREAD_COUNT
                        max concurrent thread count (default: 500)
  -nv, --no-verify      does not verify ssl connection (may be necessary for
                        self-signed certs)
  -ni, --no-ignore      does NOT ignore ssl warnings (default: ignored)
  -v, --verbose         prints all headers
  -e, --errors          prints all errors
```

## Simple Usage

```console
python bleeder.py "http://10.1.2.3" -c 50

        ::OptionsBleed (CVE-2017-9798) Scanner::

[+] scanning http://10.1.2.3 to see if it bleeds!
[+] checking OPTION method
[+] allow headers detected in OPTION response
[+] checking CUSTOM method
[+] allow headers detected in CUSTOM response
[+] scanning with OPTIONS method...
[+] scanning with custom (PULL) method...
[+] 50 responses captured
[+] unique results:
GET,HEAD,allow,HEAD,allow,HEAD,,HEAD,OPTIONS,POST,all,HEAD,
GET,HEAD,allow,HEAD,,HEAD,OPTIONS,POST,all,HEAD,
GET,HEAD,╚jφHU,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,OPTIONS,POST,all,HEAD,,HEAD,,,
GET,HEAD,allow,HEAD,allow,HEAD,,HEAD,OPTIONS,POST,all,HEAD,all,HEAD,
GET,HEAD,allow,HEAD,OPTIONS,POST,all,HEAD,all,HEAD
GET,HEAD,allow,HEAD,╚jφHU,HEAD,,HEAD,,HEAD,OPTIONS,POST,,HEAD,all,HEAD,,HEAD,
GET,HEAD,allow,HEAD,OPTIONS,POST,all,HEAD
GET,HEAD,allow,HEAD,,HEAD,OPTIONS,POST,all,HEAD,all,HEAD,
GET,HEAD,allow,HEAD,allow,HEAD,OPTIONS,POST,all,HEAD
GET,HEAD,allow,HEAD,╚jφHU,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,OPTIONS,POST,all,HEAD,,HEAD,,,
GET,HEAD,╚jφHU,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,OPTIONS,POST,all,HEAD,,HEAD,,,
GET,HEAD,allow,HEAD,allow,HEAD,╚jφHU,HEAD,,HEAD,,HEAD,OPTIONS,POST,,HEAD,all,HEAD,,HEAD,
[+] scan complete!
```

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!