A few months ago, in the Building a Vulnerable Box series, I wrote a walkthrough for putting together and compromising a Rejetto HFS server. The post had originally been intended for my security students at the time, but, to my surprise, it’s become one of the War Room’s most consistently visited write-ups. Just last week, a similar exploit was posted to the Exploit-DB by Naser Farhadi for FHFS (FTP/HTTP File Server) which is strikingly similar to the older one. So, I’ve decided to revisit the Vulnerable Box series for one more addition.
The exploit is a short Python script that, when ran, makes a GET request to a site of the attacker’s choosing. The script is really just for convenience/PoC. The attack can easily be replicated in the browser, which I’ll demonstrate below. First, let’s get FHFS up and running.
The Setup
The setup process for FHFS is slightly more complicated than for Rejetto HFS. FHFS’ web interface requires some additional stand-up steps; an email address is necessary for password reset and notifications. Note that the legitimacy of the account is not tested at setup time, so feel free to make use of garbage or throwaway accounts.
Download the vulnerable version of the application from the Exploit Database link provided on the exploit’s page linked above (and pictured to the left).
Unzip the download wherever you’d like (and remember the path). I’d recommend the Downloads folder itself or your C:\. Then, find the FHFS_Launcher executable in the FHFS folder.
As with all the other posts in this series, do not run the vulnerable software on your host. Stick to virtual machines.
The launcher presents you with a window from which you can start/stop the server and also visit the FHFS Forums and Wiki page. Starting the server the first time will add a service and then prompt for permission to modify the Windows Firewall (if it’s enabled). A browser window will also be opened to your localhost to configure the server. You will have to set the admin username (which can’t be “admin” surprisingly), an associated email (mentioned previously), and a handful of other options. Once you are finished, save your selections, and then browse to your server’s IP and port to confirm a successful install.
Ensuring Vulnerability
Once FHFS is ready to go, point the exploit script at the box and run it. The output will be the same regardless of whether the target is vulnerable or not. Use a single command or executable. To verify the script ran correctly, and then check your vulnerable machine. Like Rejetto HFS, the exploit runs multiple times, so chances are, you’re looking at multiple open windows as in the screenshot below.
Limitations
So, in the short time I spent looking at this exploit, both the script and manipulating the URL itself, I couldn’t get it to accept spaces which means no arguments. So, while it’s possible to run executables with the proof of concept, it does not appear that one could add a user/elevate as was demonstrated in the previous HFS post. For instance, in the original Rejetto post, a URL that looked like this would add a user to the vulnerable box (arguments bolded for emphasis. Note the new vulnerability does not seem to necessitate a NULL byte):
http://X.X.X.X/?search=%00{.exec|cmd /c net user testuser testpassword /add.}
Now, it’s entirely possible (and likely) that with a little more work and exploration, we could get this to trigger. But, during the setup process, I noticed a second security oversight that’s almost as interesting. So what we’re going to do now is put the two together to compromise the system.
The Compromise
From an attack box, browsing to the server reveals an excellent bit of functionality that we are going to exploit. The third option down in the middle of the screen is, “Click to Open Public Uploader.” This function is enabled by default and will allow us to push our own files, without file type restrictions, to the server for later use.
Upload a Payload
Use Veil-Evasion to generate a reverse shell payload executable that will bypass any AV that might be running on the machine (obviously in a learning lab, this is a little overkill, but it never hurts to have another tool in your belt). Once it’s built, drag the payload into the uploader (or browse to it through “Add Files”) and select “Start Upload.”
You’ll be presented with a download link to your file. Copy the URL and post it into a new browser window.
Stepping out of attack mode for a minute, on your vulnerable box, browse to <FHFS Install Path>\content-shared. This is where files uploaded to the server will be stored. You’ll notice that a bunch of random characters have been added to the file name of your payload. Obviously, in order to get the executable to run, we need this new name.
Back to our scenario: The download will probably automatically start, but we’re not interested in the file at the moment, so ignore it. Hover over the “please click here” link and copy or jot down what you see. That is the payload’s new file name!
Run the Payload
The one hitch in this technique is that you, as the attacker, have to know the full path to the shared-content folder. Unfortunately, because FHFS doesn’t require an actual installation, there isn’t a standard path. So, the exploitation phase may take some hunting if you come across this vulnerability in the real world. Obviously, try the Downloads folder directly if you know the name of the user on the target system (as is the case for this demo). Otherwise, start at the C: drive root. Like I said at the beginning, in all likelihood, there’s probably an easier way to make use of the code execution vulnerability. But I thought mixing in the file upload would make for a better teaching tool.
To run your payload, point your exploit at your payload either with the exploit script or in a URL bar.
A modified URL will look something like this:
http://X.X.X.188/?/{.exec|c:\Users\Administrator\Downloads\FHFS\content-shared\112VHQKV0F3OBMSQR3R0M8SYK5SFDSTS—-payload.exe.}
Browsing to the payload should kick you a shell, as demonstrated below.
Conclusion
Keep your vulnerable box as a virtual machine on a VMWare ESXi server for convenience and snapshots. Do not run this software from your host, as you will put yourself at risk of compromise.
