# CVE-2023-38545: Curl Vulnerability Proof of Concept
This repository contains a Proof of Concept (PoC) designed to test systems for the CVE-2023-38545 vulnerability. The vulnerability affects the curl utility, specifically versions between 7.69.0 and 8.3.1, and is related to the handling of HTTP redirects.
Required Software: curl
- SOCKS5 Proxy Server running on port 1080
- HTTP Server running on port 8000
- Automated script to test for the vulnerability
The PoC consists of two main components:
- SOCKS5 Proxy Server: Listens on port 1080 and forwards all incoming requests to the HTTP server.
- HTTP Server: Listens on port 8000 and is responsible for generating the payload that triggers the vulnerability.
## Usage Instructions
### (Optional) Step 1: Set up the Socks5 Proxy
*This step is optional if you already have a socks5 proxy you can use.*
$ chmod +x setup_socks5.sh
This will install the required dependencies and set up the SOCKS5 proxy server on port 1080.
### Step 2: Set up the Python3 HTTP Server
Execute the following command to start the HTTP server:
$ python3 server.py
You can also run the server with debug logging
$ python3 server.py --debug
Upon successful execution, the HTTP server will be listening on port 8000.
### Step 3: Execute the Exploit Script
First, make the script executable:
$ chmod +x cve202338545.sh
The script can be configured to accept a socks5 proxy address with `--socks5-ip` and an http address with `--http-ip` and can output debug logs with `--DEBUG`
$ ./cve202338545.sh --socks5-ip <ip> --http-ip <ip> --DEBUG # specify both proxy and http server
$ ./cve202338545.sh --socks5-ip <ip> # specify only proxy server
$ ./cve202338545.sh --http-ip <ip> # specify only http server
$ ./cve202338545.sh # both proxy and http server will default to localhost
$ ./cve202338545.sh --DEBUG # both proxy and http server will default to localhost with debug on
This will initiate the exploit, and you should see output indicating whether the system is vulnerable, not vulnerable, or if the test was inconclusive.
### Step 4. Analyze Results
There are 4 response states:
- [*] Vulnerable
- [*] Inconclusive, likely not vulnerable
- Triggered when the vulnerable version is identified but the vulnerability doesnt trigger on name resolution
- [*] Likely Vulnerable, got an out of memory error
- Triggered when the vulnerable version is identified and curl dies with an out of memory error
- [*] Inconclusive, further investigation needed
- Triggered by unexpected non-crash errors
- [*] Not Vulnerable
- Triggered when the vulnerable version is not identified
### (Optional) Step 5. Clean Up
*This step is only required if you used `setup_socks5.sh` from step 1.*
To clean up the SOCKS5 proxy server, execute the following command: