Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-24787 PoC — Arbitrary code execution during build on Darwin in cmd/go

Source
https://github.com/LOURC0D3/CVE-2024-24787-PoC
Associated Vulnerability
Title:Arbitrary code execution during build on Darwin in cmd/go (CVE-2024-24787)
Description:On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Description
CVE-2024-24787 Proof of Concept
Readme
# CVE-2024-24787-PoC

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

![img](./result.png)

This is not my bug, I just made a PoC for it.

# Reference
  - [https://pkg.go.dev/vuln/GO-2024-2825](https://pkg.go.dev/vuln/GO-2024-2825)
File Snapshot

 [4.0K]  /data/pocs/e22cda447beded220e4f2d701547fa698c145a07
├── [  11]  go.mod
├── [ 32K]  malicious.dylib
├── [ 230]  malicious.m
├── [ 108]  poc.go
├── [ 377]  README.md
└── [290K]  result.png

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →