Exploit for remote command execution in Golang go get
command.
When you go get a package, Go is designed to build and install the package without running any code from it. The intent is that you can safely get, build, and even install Go packages without trusting them at all. In theory, it seems like this should be a simple feat for the Go toolchain, but in actuality, it's a real challenge. go get does a lot under the hood, including invoking third-party tools like git and clang in ways that are heavily influenced by package configurations. Ensuring that these invocations are safe is an uphill battle that Go hasn't quite won yet.
When cgo is enabled, the build step during “go get” invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an exploit.so file along with a Go source file that says (for example) // #cgo CFLAGS: -fplugin=exploit.so, causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow go get
remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before.
For Exploit we will need to host our malicious package. We need a website with TLS and a valid certificate chain. An easy way to do this is to use github
Then, you will need a malicious plugin/.so file. The code in exploit.c should help you with that.
Note: Change this following code in exploit.c to your command
void exploit() {
system("<Your CMD>");
}
Note: Compile this file according to your victim's machine/pc architecture
You can build exploit.sp it using the following command:
gcc -shared -o exploit.so -fPIC exploit.c
Once you host your full payload on Github, you should be able to pass the package link to the victim.