actuator

goform

🏛️ A museum of GoAhead and goform forks. Dead webservers-live exploits

2
0
2
public
View on GitHub
image

GoAhead Museum – Research Dataset

This repository is a living archive of embedded GoAhead / jhttpd web server binaries collected from router and IoT firmware images.
It exists to preserve historically significant embedded web stacks and make them easily accessible for security research, reverse engineering, and long-term study.

GoAhead and its forks powered countless low-cost routers, access points, cameras, and IoT devices from the late 1990s through the 2020s. They introduced the /goform pattern for handling web requests, which became a de facto standard in many OEM firmware packages. As devices age out and firmware images disappear, this codebase — and its vulnerabilities — are at risk of being lost to history.

Purpose

  • Historical Preservation – provide researchers with reference samples of GoAhead and related forks before they disappear from vendor sites.
  • Security Research – offer a centralized resource to compare implementations, patch histories, and vulnerability trends.
  • Education – show students and professionals how embedded web stacks evolved and how their security models worked (or failed).
  • Collaboration – encourage contributions of additional binaries for comparative analysis.

Dataset Format

Each contributed binary is stored with accompanying metadata.
This allows researchers to understand the firmware context and track lineage across vendors and versions.

Sample ID Vendor / Model Firmware Ver. Variant Link
jhttpd.NR500.EA NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 jhttpd fork link
jhttpd.dionlink.M7628N Tuoshi/Dionlink LT15D & LT21B 4G Wi-Fi v1.0.1802.10.08.P4 jhttpd fork link
kthy_topsw_goahead.topsw.GC111 KTHY TopSW GC111-GL-LM321 V3.0.20191211 OEM GoAhead fork link
webserver.KuWFi.AC900 KuWFi AC900 V1.0.13 OEM GoAhead fork link
goahead.Panda-Wireless-PWRU0-2.2.9 Panda Wireless V2.2.9 OEM GoAhead fork link

Metadata Fields

  • Sample ID – filename in the repository.
  • Vendor / Model – hardware source device.
  • Firmware Ver. – vendor firmware version string.
  • Variant – GoAhead / jhttpd / OEM fork.
  • Link – reference to the hosted binary in this repo.

Research Directions

This dataset enables:

  • Static Analysis – compare forks to trace patching, hard-coded credentials, and code reuse.
  • Dynamic/Fuzz Testing – build harnesses to explore attack surfaces of legacy binaries.
  • Vulnerability Lineage – map how known flaws persisted or reappeared across vendors.
  • Decommission Tracking – measure when GoAhead-based stacks vanished from production firmware.
  • Teaching Material – provide real embedded targets for labs and courses in security or reverse engineering.

Contributing

We welcome new binaries, metadata improvements, and analysis write-ups. To contribute:

  1. Upload the binary file.
  2. Add a row to the dataset table with the required metadata.
  3. Submit a pull request or open an issue to discuss.

All contributions help expand the coverage of the GoAhead ecosystem and support future research.

Ethical Note

These binaries are provided for research and educational purposes only.
They are not meant to encourage unauthorized access or exploitation of live systems.

Exploring /goform Endpoints

GoAhead and its forks use a URL prefix /goform to register “form handlers” inside the binary. These handlers process login forms, configuration changes, and other CGI-like actions. Researchers can use several approaches to enumerate them:

1. Scan Static Files

Most web UI pages reference /goform/... as the form action or AJAX URL. Run:

Quick Guide: Finding the Web Server Binary Using ps

On stripped-down BusyBox devices you usually don’t have find, which, or file, but you do have ps. You can use it to identify which process is the embedded web server.

1. List Running Processes

Run:

ps

Look for entries that resemble:

  PID USER       VSZ STAT COMMAND
  635 admin     1864 S    goahead

or:

  PID USER       VSZ STAT COMMAND
  635 admin     1864 S    httpd

2. Common Names

Typical embedded web server binaries include:

  • goahead
  • httpd or mini_httpd
  • lighttpd
  • jhttpd

The COMMAND column tells you the binary name.

3. Locate the Binary Path

Once you see the process name (e.g., goahead), check typical directories:

ls /bin/goahead
ls /sbin/goahead
ls /usr/bin/goahead
ls /usr/sbin/goahead

Repeat for httpd, mini_httpd, or whatever name appeared in ps.

4. Verify with grep

If you’re unsure, you can also run:

grep -i goahead /etc/* 2>/dev/null
grep -i httpd /etc/* 2>/dev/null

Startup scripts sometimes reference the binary or its configuration.

5. Copy or Analyze It

Once you find the binary path, you can:

  • Copy it to a writable directory or the web root.
  • Download it to your PC for strings / binwalk / reverse engineering.

Summary:

  • Use ps to identify the running web server name.
  • Use ls on common binary directories to locate it.
  • Use grep on /etc or /etc_ro to find startup scripts.
  • Copy it out for analysis or fuzzing.
v0.3.1[beta]