Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38545 PoC — curl 缓冲区错误漏洞

Source
https://github.com/Yang-Shun-Yu/CVE-2023-38545
Associated Vulnerability
Title:curl 缓冲区错误漏洞 (CVE-2023-38545)
Description:This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
Readme
# CVE-2023-38545: Curl Vulnerability Proof of Concept
This repository contains a Proof of Concept (PoC) designed to test systems for the CVE-2023-38545 vulnerability. The vulnerability affects the curl utility, specifically versions between 7.69.0 and 8.3.1, and is related to the handling of HTTP redirects.

## Prerequisites
Required Software: curl

## Features
- SOCKS5 Proxy Server running on port 1080
- HTTP Server running on port 8000
- Automated script to test for the vulnerability


## Architecture
The PoC consists of two main components:

- SOCKS5 Proxy Server: Listens on port 1080 and forwards all incoming requests to the HTTP server.
- HTTP Server: Listens on port 8000 and is responsible for generating the payload that triggers the vulnerability.

## Usage Instructions
### (Optional) Step 1: Set up the Socks5 Proxy
*This step is optional if you already have a socks5 proxy you can use.*

Execute `setup_socks5.sh`

    $ chmod +x setup_socks5.sh
    $ ./setup_socks5.sh

This will install the required dependencies and set up the SOCKS5 proxy server on port 1080.

### Step 2: Set up the Python3 HTTP Server
Execute the following command to start the HTTP server:

    $ python3 server.py

You can also run the server with debug logging

    $ python3 server.py --debug

Upon successful execution, the HTTP server will be listening on port 8000.

### Step 3: Execute the Exploit Script
First, make the script executable:

    $ chmod +x cve202338545.sh

The script can be configured to accept a socks5 proxy address with `--socks5-ip` and an http address with `--http-ip` and can output debug logs with `--DEBUG`

    $ ./cve202338545.sh --socks5-ip <ip> --http-ip <ip> --DEBUG # specify both proxy and http server
    $ ./cve202338545.sh --socks5-ip <ip> # specify only proxy server
    $ ./cve202338545.sh --http-ip <ip> # specify only http server
    $ ./cve202338545.sh # both proxy and http server will default to localhost
    $ ./cve202338545.sh --DEBUG # both proxy and http server will default to localhost with debug on

This will initiate the exploit, and you should see output indicating whether the system is vulnerable, not vulnerable, or if the test was inconclusive.

### Step 4. Analyze Results

There are 4 response states:

- [*] Vulnerable
- [*] Inconclusive, likely not vulnerable
    - Triggered when the vulnerable version is identified but the vulnerability doesnt trigger on name resolution
- [*] Likely Vulnerable, got an out of memory error
    - Triggered when the vulnerable version is identified and curl dies with an out of memory error
- [*] Inconclusive, further investigation needed
    - Triggered by unexpected non-crash errors
- [*] Not Vulnerable
    - Triggered when the vulnerable version is not identified

### (Optional) Step 5. Clean Up
*This step is only required if you used `setup_socks5.sh` from step 1.*

To clean up the SOCKS5 proxy server, execute the following command:

    $ ./cleanup.sh
File Snapshot

 [4.0K]  /data/pocs/f4e2bfae2343538b43659ed7c866a6ed683b9430
├── [ 316]  cleanup.sh
├── [2.6K]  cve202338545.sh
├── [2.9K]  README.md
├── [1.7K]  server.py
└── [1.0K]  setup_socks5.sh

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →