CVE-2024-24787 PoC — Google Golang 安全漏洞

Source

https://github.com/LOURC0D3/CVE-2024-24787-PoC

Associated Vulnerability

Title:Google Golang 安全漏洞 (CVE-2024-24787)
Description:Google Golang是美国谷歌（Google）公司的一种静态强类型、编译型语言。Go的语法接近C语言，但对于变量的声明有所不同。Go支持垃圾回收功能。Go的并行模型是以东尼·霍尔的通信顺序进程（CSP）为基础，采取类似模型的其他语言包括Occam和Limbo，但它也具有Pi运算的特征，比如通道传输。在1.8版本中开放插件（Plugin）的支持，这意味着现在能从Go中动态加载部分函数。 Google Golang 1.21.10 之前、1.22.3 之前版本存在安全漏洞，该漏洞源于在使用 Apple

Description

CVE-2024-24787 Proof of Concept

Readme

# CVE-2024-24787-PoC

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

![img](./result.png)

This is not my bug, I just made a PoC for it.

# Reference
  - [https://pkg.go.dev/vuln/GO-2024-2825](https://pkg.go.dev/vuln/GO-2024-2825)

File Snapshot


 [4.0K]  /data/pocs/e22cda447beded220e4f2d701547fa698c145a07
├── [  11]  go.mod
├── [ 32K]  malicious.dylib
├── [ 230]  malicious.m
├── [ 108]  poc.go
├── [ 377]  README.md
└── [290K]  result.png

0 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!