/CVE-2023-38545

A proof of concept for testing CVE-2023-38545 against local curl

Primary LanguageShell

CVE-2023-38545: Curl Vulnerability Proof of Concept

This repository contains a Proof of Concept (PoC) designed to test systems for the CVE-2023-38545 vulnerability. The vulnerability affects the curl utility, specifically versions between 7.69.0 and 8.3.1, and is related to the handling of HTTP redirects.

Prerequisites

Required Software: curl

Features

  • SOCKS5 Proxy Server running on port 1080
  • HTTP Server running on port 8000
  • Automated script to test for the vulnerability

Architecture

The PoC consists of two main components:

  • SOCKS5 Proxy Server: Listens on port 1080 and forwards all incoming requests to the HTTP server.
  • HTTP Server: Listens on port 8000 and is responsible for generating the payload that triggers the vulnerability.

Usage Instructions

(Optional) Step 1: Set up the Socks5 Proxy

This step is optional if you already have a socks5 proxy you can use.

Execute setup_socks5.sh

$ chmod +x setup_socks5.sh
$ ./setup_socks5.sh

This will install the required dependencies and set up the SOCKS5 proxy server on port 1080.

Step 2: Set up the Python3 HTTP Server

Execute the following command to start the HTTP server:

$ python3 server.py

You can also run the server with debug logging

$ python3 server.py --debug

Upon successful execution, the HTTP server will be listening on port 8000.

Step 3: Execute the Exploit Script

First, make the script executable:

$ chmod +x cve202338545.sh

The script can be configured to accept a socks5 proxy address with --socks5-ip and an http address with --http-ip and can output debug logs with --DEBUG

$ ./cve202338545.sh --socks5-ip <ip> --http-ip <ip> --DEBUG # specify both proxy and http server
$ ./cve202338545.sh --socks5-ip <ip> # specify only proxy server
$ ./cve202338545.sh --http-ip <ip> # specify only http server
$ ./cve202338545.sh # both proxy and http server will default to localhost
$ ./cve202338545.sh --DEBUG # both proxy and http server will default to localhost with debug on

This will initiate the exploit, and you should see output indicating whether the system is vulnerable, not vulnerable, or if the test was inconclusive.

Step 4. Analyze Results

There are 4 response states:

  • [*] Vulnerable
  • [*] Inconclusive, likely not vulnerable
    • Triggered when the vulnerable version is identified but the vulnerability doesnt trigger on name resolution
  • [*] Likely Vulnerable, got an out of memory error
    • Triggered when the vulnerable version is identified and curl dies with an out of memory error
  • [*] Inconclusive, further investigation needed
    • Triggered by unexpected non-crash errors
  • [*] Not Vulnerable
    • Triggered when the vulnerable version is not identified

(Optional) Step 5. Clean Up

This step is only required if you used setup_socks5.sh from step 1.

To clean up the SOCKS5 proxy server, execute the following command:

$ ./cleanup.sh