Skip to content
/ CVE-2024-23334 Public

Expolit for CVE-2024-23334 (aiohttp >= 1.0.5> && <=3.9.1)

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

binaryninja/CVE-2024-23334

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
static
static
 
 
.gitattributes
.gitattributes
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 
server.py
server.py
 
 

Repository files navigation

CVE-2024-23334 Exploit and PoC

This repository contains a Proof of Concept (PoC) exploit for CVE-2024-23334, demonstrating a vulnerability in a web application that allows unauthorized access to sensitive files on the server. The PoC includes a Dockerized web server and an exploit script to test for the vulnerability.

Repository Structure

.
├── .gitattributes
├── .git/
├── Dockerfile
├── exploit.py
├── requirements.txt
├── server.py
├── static/
│   └── safe_file.txt
└── test.log

Files and Directories

  • Dockerfile: Docker configuration file to build and run the vulnerable web server.
  • exploit.py: The exploit script that demonstrates how the vulnerability can be exploited to access sensitive files on the server.
  • server.py: The vulnerable web server implemented using aiohttp.
  • requirements.txt: List of Python dependencies required to run the server and exploit script.
  • static/: Directory containing a safe file to serve as a placeholder for legitimate static content.
  • test.log: Log file generated during testing (example content, not crucial for the exploit).

Getting Started

Prerequisites

  • Docker
  • Python 3.10+
  • pip (Python package installer)

Setup

  1. Clone the repository

    git clone https://github.com/binaryninja/CVE-2024-23334.git
cd CVE-2024-23334

  2. Build and Run the Docker Container

    docker build -t cve-2024-23334 .
docker run -p 8081:8081 cve-2024-23334

    The server will start and be accessible at http://localhost:8081.

  3. Run the Exploit Script

    python exploit.py -s http://localhost:8081 -v -o results.json

    This command runs the exploit script against the running server, with verbose output and results saved to results.json.

Server.py

The server.py file sets up a vulnerable web server using aiohttp. The server exposes a static file directory and includes an endpoint / that returns a simple text response.

Exploit.py

The exploit.py script sends requests to the server to test for the vulnerability. It attempts to access various sensitive files by traversing the directory structure using path manipulation techniques. The results, including any successfully accessed files and their contents, are logged and optionally saved to a JSON file.

Example Usage

Build and Run the Docker Container

docker build -t cve-2024-23334 .
docker run -p 8081:8081 cve-2024-23334

Execute the Exploit Script

python exploit.py -s http://localhost:8081 -v -o results.json

Output

The script will output the results of the exploit attempts to the console and save detailed results in results.json.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

This repository is for educational purposes only. Use it at your own risk. The author is not responsible for any damage caused by the use or misuse of this software.

Contributions

Contributions are welcome! Please submit a pull request or open an issue to discuss any changes.

About

Expolit for CVE-2024-23334 (aiohttp >= 1.0.5> && <=3.9.1)

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages