Fugitif
13.11.2007, 20:54
Embedded Systems Security
High quality versions of the three Cisco IOS shellcode demonstration
Please note that each shellcode (written in PowerPC assembly language) is being launched from GDB within a development environment rather than as the payload to an exploit. The "Development server" is connected to the Cisco router (2600 Series) via a serial cable (for GDB debugging) and via Ethernet (for TCP/IP communications).
It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds. When each starts running, the arbitrary text "<args-warning>" is displayed on the console to indicate successful execution of the shellcode.
Bind Shell
· Requires four hard-coded addresses of functions within IOS
· Creates a new VTY
· Sets a password on the VTY
· Privilege escalates to level 15
Video: Bind Shell
http://www.irmplc.com/content/videos/bindshell/bindshell.html
Reverse Shell
· Requires five hard-coded addresses of functions within IOS
· Creates a new VTY
· Privilege escalates to level 15
· Opens a new TCP connection
· Binds the VTY to the TCP connection
Video: Reverse Shell
http://www.irmplc.com/content/videos/reverseshell_final/reverseshell_final.html
Two byte rootshell or Tiny Shell
· Requires up to one (sometimes none) hard-coded addresses within IOS
· Removes the requirement to authenticate to a currently active VTY
· Privilege escalates to level 15
Video: "Two byte rootshell" or Tiny Shell
http://www.irmplc.com/content/videos/tinyshell_final/tinyshell_final.html
More Info:
http://www.irmplc.com/index.php/153-Embedded-Systems-Security
High quality versions of the three Cisco IOS shellcode demonstration
Please note that each shellcode (written in PowerPC assembly language) is being launched from GDB within a development environment rather than as the payload to an exploit. The "Development server" is connected to the Cisco router (2600 Series) via a serial cable (for GDB debugging) and via Ethernet (for TCP/IP communications).
It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds. When each starts running, the arbitrary text "<args-warning>" is displayed on the console to indicate successful execution of the shellcode.
Bind Shell
· Requires four hard-coded addresses of functions within IOS
· Creates a new VTY
· Sets a password on the VTY
· Privilege escalates to level 15
Video: Bind Shell
http://www.irmplc.com/content/videos/bindshell/bindshell.html
Reverse Shell
· Requires five hard-coded addresses of functions within IOS
· Creates a new VTY
· Privilege escalates to level 15
· Opens a new TCP connection
· Binds the VTY to the TCP connection
Video: Reverse Shell
http://www.irmplc.com/content/videos/reverseshell_final/reverseshell_final.html
Two byte rootshell or Tiny Shell
· Requires up to one (sometimes none) hard-coded addresses within IOS
· Removes the requirement to authenticate to a currently active VTY
· Privilege escalates to level 15
Video: "Two byte rootshell" or Tiny Shell
http://www.irmplc.com/content/videos/tinyshell_final/tinyshell_final.html
More Info:
http://www.irmplc.com/index.php/153-Embedded-Systems-Security