Go-Get-RCE-CVE-2018-6574-POC icon indicating copy to clipboard operation
Go-Get-RCE-CVE-2018-6574-POC copied to clipboard

Published 20 hours ago verified publisher icon neargle

Metadata

CVE-2018-6574 POC : golang 'go get' remote command execution during source code build

CVE-2018-6574 POC

LINK

  • https://nvd.nist.gov/vuln/detail/CVE-2018-6574
  • http://blog.nsfocus.net/cve-2018-6574/

RUN

go get github.com/neargle/CVE-2018-6574-POC

DETAIL

payload 在: https://github.com/neargle/CVE-2018-6574-POC/blob/master/calc.c#L10

现在已经用 CGO 的特性支持了全平台,linux go get 之后会新建一个 /tmp/go-rce-poc 文件,MAC 和 Windows 还是老套的弹计算器。

PS. Windows 的部分 GCC 可能没有 --enable-plugin 支持, 会爆 error: plugin support is disabled; configure with --enable-plugin. 当前的 POC 需要 gcc 支持 --enable-plugin.

VERSION

  • before 1.8.7
  • before 1.9.4
  • before Go 1.10rc2

THX

KINGSABRI

Metadata

24
Stars
13
Forks
Watchers

Owner

verified publisher icon neargle

Metadata

CVE-2018-6574 POC : golang 'go get' remote command execution during source code build

Back