Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2023-38545 PoC — curl 缓冲区错误漏洞

Source
https://github.com/vanigori/CVE-2023-38545-sample
Associated Vulnerability
Title:curl 缓冲区错误漏洞 (CVE-2023-38545)
Description:This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
Description
Dockerfile containing all the necessary setup files to demo the exploit
Readme
# Quick description

This showcases the cURL CVE-2023-38545. It is as lightweight as I could make it.

# Setup

First, build the Docker Image:

`docker build . -t cveimage`

Next, we can simply run the image file, creating a temporary Docker Container which will get deleted once the container is stopped:

`docker run --rm --tty --net="host" --name cvecontainer cveimage`

If you are struggling to type commands, simply open another terminal and run:

`docker exec -it cvecontainer /bin/bash`

Now, we need to start all the services. Connect to the already-running container, and run:

`./exploit/malicious_redirect_server.sh &`

`python3 /exploit/proxy.py &`

Now, from inside the container you can see the cURL exploit in action:

`curl -vvv --limit-rate 100 --location --proxy socks5h://127.0.0.1:1080 http://localhost:8000`

You must see a segmentation fault error on the machine that ran the curl command to know that the exploit succeeded. If you do not see it, either the exploit did not occur, or the process had so much heap space available that you did not overwrite into inaccessible memory.

# More work (PRs welcome)

* Make this README look pretty 
* Configure systemd to automatically start the exploit code
* Reduce Docker Image build time and size
* Anything/everything else. . .?

# References

* The socks5 proxy is not self-made. The original code for the proxy can be found here: https://github.com/alexbers/tgsocksproxy
* * Originally exploited in ubuntu (wsl) with systemd support: https://github.com/aire1/mtproxy_autoinstaller
* The hackerone report, which saved tons of research time. Give this a read through if you want to understand how this exploit occurs: https://hackerone.com/reports/2187833
File Snapshot

 [4.0K]  /data/pocs/078222c0870c19969e9d38012493aef3298c0245
├── [ 683]  Dockerfile
├── [ 34K]  LICENSE
├── [ 194]  malicious_redirect_server.sh
├── [1.7K]  README.md
└── [4.8K]  tgsocksproxy.py

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →