The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aka HFS or HTTP Fileserver) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action, due to a poor regex. It won't handle a null byte, allowing an attacker to inject code.
Request: http://vulnerable.hfs:80/?search=%00{.exec|whoami.}
Written in Python 3, you just need to change the variables:
- rhost and rport, for your vulnerable server's IP and PORT running HFS.
- lhost and lport, for your reverse shell's IP and PORT, that should be listening before executing the exploit.
Tested with TryHackMe's SteelMountain VM.