Apache HTTP Server mod_rewrite improper escaping leading to unintended file mapping

This repository is a standalone Python exploitation tool named myesve for CVE-2024-38475 in Apache HTTP Server. It is not a Metasploit/Nuclei-style framework module, but a self-contained CLI package with scanning, exploitation, stealth, logging, output formatting, optional recon helpers, and Mullvad VPN integration. Repository structure: the main entry point is Myesve/myesve/cli.py, which exposes subcommands scan, exploit, vpn, and full. scanner.py performs multithreaded discovery of directories returning HTTP 403 by requesting <base_url>/<directory>/. exploiter.py performs the actual exploit by iterating over discovered/provided directories, a file wordlist, and two hardcoded payload suffixes (%3F and %3Fooooo.php), constructing crafted paths intended to trigger Apache source disclosure. stealth.py adds adaptive rate limiting, jitter, and User-Agent rotation. vpn.py wraps the Mullvad CLI for relay rotation and status. utils.py provides IP geolocation via api.ipify.org and ip-api.com, traceroute execution, and proxy parsing. recon.py contains optional Shodan/Censys search helpers but is not central to exploitation. output.py supports JSON/CSV output, and logger.py handles file/console logging. Main exploit capability: after identifying 403 directories, the tool builds URLs in the form <base_url>/<directory><webroot>/<directory>/<filename><payload> and treats HTTP 200 responses as successful disclosure. If enabled, it downloads the returned content into a local loot directory. This makes it more than a detector: it actively attempts file disclosure and retrieval. Operational characteristics: the exploit is moderately operational rather than just a PoC because it supports automation, threading, rate control, jitter, proxying, UA rotation, logging, and optional VPN rotation. However, payloads are hardcoded and not highly customizable, so OPERATIONAL is the best fit rather than WEAPONIZED. Notable caveats: the provided content indicates the CLI file is truncated in the middle of cmd_full, so the full workflow implementation cannot be completely verified from the supplied snapshot. Also, the package references bundled wordlists under myesve/wordlists, but those files are not included in the provided file listing despite being declared in pyproject.toml and documentation. Nonetheless, scanner.py and exploiter.py clearly implement real scanning and exploitation logic.

This repository provides a proof-of-concept (PoC) exploit for CVE-2024-38475, a directory traversal vulnerability affecting Apache HTTP Server (referred to as 'SonicBoom'). The main exploit script is 'poc.py', which automates the process of negotiating the highest supported TLS/SSL protocol with the target, verifying generic and per-directory traversal, scanning for 403-protected directories, and fuzzing file paths with custom payloads to detect unauthorized file access. The script requires the user to supply directory and file wordlists and outputs results to a specified file. The auxiliary script 'autoCurl.py' checks which HTTP methods are allowed on a set of IP:port pairs, which can help in pre-assessment but is not directly part of the exploit chain. The exploit is a network-based PoC, does not provide a weaponized payload, and is intended for security researchers to validate the presence of the vulnerability. No hardcoded IPs or domains are present; all endpoints are user-supplied at runtime. The repository is well-structured, with clear separation between the main exploit logic and auxiliary tooling.

This repository contains a Python script (script.py) designed to test for CVE-2024-38475, a vulnerability in Apache's mod_rewrite module related to filesystem path matching. The script automates the process of enumerating directories (looking for HTTP 403 responses) and probing for source code disclosure by appending specific payloads (such as '%3F' and '%3Faaaaaaaaaaaaaaaaaaaaaa.php') to file paths. The user supplies lists of webroots, directories, and files, as well as the target server's URL or IP and the desired schema (http/https). The script reports directories that are forbidden and files that return HTTP 200, which may indicate a successful bypass and potential information leakage. The repository is structured simply, with a README.md providing usage instructions and context, and script.py containing all exploit logic. No hardcoded endpoints are present; all targets are user-supplied at runtime. The exploit is a proof-of-concept and does not include weaponized or post-exploitation payloads.

This repository contains a Python proof-of-concept exploit for CVE-2024-38475, a vulnerability in Apache HTTP Server 2.4.59 and earlier related to improper escaping in mod_rewrite. The exploit script, 'CVE-2024-38475.py', automates the process of discovering directories that return HTTP 403 responses and then attempts to access files within those directories using crafted URL-encoded payloads. The goal is to exploit unsafe RewriteRules to disclose source code or other sensitive files that should not be directly accessible. The script requires two wordlists ('raft-medium-directories.txt' and 'raft-medium-files.txt') for directory and file enumeration. The README provides background on the vulnerability and usage notes. The attack vector is network-based, targeting web servers with vulnerable mod_rewrite configurations. The main entry point is the Python script, which is a standalone POC and not part of a larger framework.