This POC is based on the earlier POC created by UTsweetyfish, shared in this repository: https://github.com/UTsweetyfish/CVE-2023-38545. Contrary to that POC, this one is for the commandline tool and not the libcurl library, and doesn't require Python and no compilation
This POC is for the curl SOCKS5 heap buffer overflow, and shows how to overflow the receive buffer in the curl command line tool. By default, curl initializes the receive buffer with a size of 100k, which makes it unsusceptible to CVE-2023-38545. But the size of this buffer can be reduced by setting a rate limit (--limit-rate).
To run the POC, first set up a local SOCKS5 proxy using SSH (this requires a locally running SSH server):
ssh -fND 10801 localhost
Next, run the poc.sh scriptt (this requires Netcat (nc) to be installed):
./poc.sh
It might require several attempts to trigger the buffer overflow. If the overflow is triggered, the script will exit with an error code, and an error message indicating that the execution has been aborted. When the overflow failed, and curl was not impacted, then a message is shown indicating that a host with the name "AAAA...." could not be resolved.
Links: