Vulnerability analysis of HFS 2.3
According to the CVE details for this vulnerability (CVE-2014-6287), the findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Here is the vulnerable function:
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;The function will not handle a null byte safely, so a request to http://localhost:80/search=%00{.exec|cmd.} will stop regex from parsing the macro, and remote code injection will happen.
Note
Details about the exploit can be found at https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec.
Exploitation and post exploitation
Let us find the relevant exploit module via the search command in Metasploit in order to load the exploit for the HFS 2.3 server:
We can see we have the exploit/windows...
