Double Free and Possible RCE in Apache HTTP Server mod_http2 Early Reset Handling

Repository contains a single substantial Python exploit script (poc.py) plus a README. The script is an operational proof-of-concept for CVE-2026-23918, a double-free in Apache HTTP Server 2.4.66 mod_http2. Its purpose is not just detection: it implements a full three-phase workflow consisting of reconnaissance, active exploitation attempts, and post-attempt RCE risk scoring. Structure and behavior: - README.md documents the vulnerability, affected/fixed versions, usage examples, options, and mitigation guidance. - poc.py is the main entry point and contains HTTP/2 frame construction logic, target probing, exploit orchestration, batch scanning support, JSON/report output, and CLI handling. Main exploit capabilities: - Builds raw HTTP/2 frames in Python, including SETTINGS, HEADERS, WINDOW_UPDATE, PING, and especially RST_STREAM. - Uses HPACK encoding (via hpack) to generate valid HEADERS payloads. - Initiates HTTP/2 sessions using the standard client preface and likely negotiates HTTP/2 over TLS (ALPN) or cleartext h2c when requested. - Attempts to trigger the vulnerable race by sending HEADERS immediately followed by RST_STREAM on the same stream, repeatedly and in bursts. - Supports two attack modes mentioned in the README: inline and staged. - Increases pressure through configurable rounds, burst sizes, delays, and parallel worker threads/connections. - Performs passive/active recon to identify Apache version, HTTP/2 support, and MPM characteristics before exploitation. - Supports single-target and list-based batch operation, plus JSON and Markdown reporting. Targeting: - Explicitly targets Apache HTTP Server 2.4.66 with mod_http2 enabled. - README states Event MPM is affected; the script also reasons about threaded MPMs generally because HTTP/2 is incompatible with Prefork. - The exploit is unauthenticated and remote, delivered entirely over HTTP/2 network traffic. Impact and payload assessment: - No shellcode, command execution payload, or persistence mechanism is present. - The payload is the crafted HTTP/2 frame sequence itself, intended to cause heap corruption and crash the server, while estimating whether conditions are favorable for RCE. - Therefore this is best classified as OPERATIONAL rather than WEAPONIZED: it contains active exploit logic and configurable attack traffic, but no customizable post-exploitation payload. Notable observables/endpoints: - Default network target port is 443, with port 80 treated as non-TLS/h2c. - Uses the HTTP/2 connection preface string directly. - Accepts hostnames, IPs, and full http/https URLs from CLI or input files. - Writes optional outputs to user-specified files such as results.json and report.md. Overall, this repository is a real exploit-oriented PoC and scanner for remotely probing and attempting to trigger the Apache mod_http2 double-free condition, with emphasis on crash reproducibility and exploitability assessment rather than delivering a final RCE payload.

This repository is a compact exploit PoC for CVE-2026-23918, a double-free in Apache httpd mod_http2 that can lead to pre-auth RCE. It contains four files: a Dockerfile that builds a vulnerable Apache 2.4.66 lab instance with mod_http2 and TLS enabled; a README with usage instructions; getaddr.py, a local helper that extracts the runtime addresses of ap_scoreboard_image-derived request storage and libc/system() from a running target process via /proc; and poc.py, the actual network exploit. The exploit flow in poc.py has two coordinated components. The Spray class repeatedly opens TLS connections and sends oversized crafted HTTP/1.1 requests designed to shape scoreboard memory and place attacker-controlled fake structures plus a command string into the request field copied into worker scoreboard storage. The payload is built so internal pointers reference the scoreboard region and a callback/function pointer is replaced with the supplied system() address, causing the supplied command to become the argument. The Trigger class separately establishes HTTP/2 connections over TLS with ALPN 'h2', sends the HTTP/2 client preface and SETTINGS, opens a stream with HEADERS, then immediately sends RST_STREAM. This appears intended to exercise the vulnerable mod_http2 stream cleanup path and race/use the corrupted state until code execution occurs. The PoC is operational rather than a mere detector: it accepts a user-provided command and attempts actual command execution on the remote server. However, it is not fully weaponized because it relies on externally supplied memory addresses and a favorable target configuration. The Dockerfile demonstrates the intended vulnerable setup: Apache httpd 2.4.66, mod_http2 loaded, event MPM, H2Direct on, TLS enabled, and ports 80/443 exposed. Overall, the repository’s purpose is to reproduce and demonstrate pre-auth remote code execution against vulnerable Apache httpd mod_http2 deployments.

This repository is a minimal proof-of-concept exploit with two files: a single Python script and a short README. The main file, CVE-2026-23918.py, is a handcrafted HTTP/2-over-TLS client that connects directly with Python's socket and ssl libraries rather than using higher-level HTTP tooling. It disables proxy environment variables, negotiates ALPN 'h2', skips certificate validation, sends the HTTP/2 client preface and a SETTINGS frame, reads one server frame header/payload, then sends a crafted HEADERS frame on stream 1 immediately followed by RST_STREAM with CANCEL. The stated purpose is to trigger a double-free condition in vulnerable Apache HTTP Server 2.4.66. There is no post-exploitation logic, shell payload, persistence, or credential theft; the capability is limited to network-triggered denial-of-service or crash reproduction. The README reinforces this by instructing the operator to tail the Apache error log and look for 'double free' or exit-signal messages while running the PoC against localhost on port 9443.

This repository is a small standalone Python exploit PoC for CVE-2026-23918, a double-free race condition in Apache HTTP Server 2.4.66's mod_http2 stream cleanup path. The repo contains one substantive code file (cve-2026-23918.py), a README, dependency list, and standard repository metadata files. It is not part of a larger exploit framework. The main script is a CLI-driven Python tool that uses the h2 library to establish HTTP/2 connections and send crafted protocol sequences intended to trigger the vulnerable condition. Based on the visible code and README, it supports multiple operating modes: 'dos' for aggressive worker-crash attempts, 'slow-drip' for lower-bandwidth sustained pressure, 'mass' for applying the attack to multiple targets from a file, and 'rce-detect' for passive/low-impact detection of HTTP/2 support and likely vulnerability conditions. The script sets up raw TCP sockets, optionally wraps them in TLS, disables certificate validation, negotiates ALPN 'h2', initializes an H2Connection object, and then exchanges HTTP/2 frames with the server. The exploit capability is primarily denial of service. The README explicitly states that the practical impact demonstrated is reliable worker crashes rather than remote code execution. The code structure suggests concurrency support (threading, worker counts, intensity controls, stats tracking, signal handling, JSON output), making it more than a minimal PoC but still focused on a hardcoded exploit technique rather than a flexible payload framework. That aligns with an OPERATIONAL maturity assessment. Fingerprintable targets/endpoints are mostly dynamic rather than hardcoded: the operator supplies target host and port, and the script connects directly via TCP/TLS to that endpoint. The most notable protocol indicator is ALPN negotiation for 'h2', which is central to exploitation because the bug is in HTTP/2 handling. The README includes example targets (127.0.0.1, 10.0.0.50, example.com), but these are illustrative rather than embedded C2 or exfiltration endpoints. Overall, the repository's purpose is to provide a practical exploit and testing utility for Apache 2.4.66 systems with HTTP/2 enabled, emphasizing reproducible DoS through malformed/timed HTTP/2 stream lifecycle manipulation.

Repository contains a Python proof-of-concept and a larger multi-target denial-of-service tool for CVE-2026-23918, described as an Apache HTTP Server 2.4.66 mod_http2 double-free vulnerability. The main exploit logic is in poc.py and exploits/mass-dos.py. Both scripts create TLS sockets, force ALPN negotiation to 'h2', initiate HTTP/2 connections using the Python h2 library, send repeated GET request headers to '/', and rapidly reset streams with RST_STREAM frames to trigger the vulnerable race condition. poc.py is a single-target crash PoC using 100 concurrent worker threads and a monitor thread that repeatedly checks whether the server is still responsive. exploits/mass-dos.py extends this into a sustained multi-target attack platform that reads host:port pairs from a file, launches configurable worker counts per target, tracks per-target statistics, monitors liveness, and attempts to keep servers down over a chosen duration. The repository also includes a Dockerfile and docker-compose.yml that build a local Apache 2.4.66 HTTPS/HTTP2 lab on port 8443 with a self-signed certificate, making the repo self-contained for reproduction. Despite README references to exploits/slow-drip.py, that file is not present in the provided archive. Overall, this is a real exploit repository focused on protocol-level remote DoS, not detection or post-exploitation.

This repository is a small standalone proof-of-concept for CVE-2026-23918, described as a double-free race condition in Apache HTTP Server 2.4.66 mod_http2. The repository contains only two files: a README explaining the vulnerability and research direction, and a single Python script (poc.py) that implements the attack logic. No exploit framework is used. The Python PoC uses raw sockets plus TLS and the hyper-h2 library to speak HTTP/2 directly. It connects to a hardcoded target (192.168.1.100:443), disables certificate validation, and requires successful ALPN negotiation of 'h2'. The exploit flow is: initiate an HTTP/2 connection, create many odd-numbered streams with padded GET headers to groom allocator state, then open a POST stream to /api/data and immediately send RST_STREAM with CANCEL to try to hit the vulnerable early-reset timing window, and finally send another POST request carrying attacker-controlled bytes in an x-exploit-payload header. The helper function build_malicious_payload() constructs a synthetic blob consisting of a NOP sled, a fake pointer value (0x4141414141414141), and INT3 bytes, suggesting exploratory heap-corruption/RCE research rather than a finished code-execution exploit. Based on the code and README, the demonstrated capability is denial of service via Apache child-process crash/allocator corruption, not reliable remote code execution. The README explicitly states that RCE remains future work involving heap grooming, function-pointer overwrite, and ROP. Therefore the repository should be classified as a real exploit PoC with network/web attack vectors and POC maturity, not a detection script and not obviously fake.