what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Aug 13, 2008
Authored by Andy Davis

Cisco IOS FTP server exploit step-by-step instructions which includes information on connecting to a Cisco router using gdb.

tags | paper
systems | cisco
SHA-256 | ae635a76307aaf65d0cd771afdc2ccb4754e8f175174fd6311f79b519ae837af


Change Mirror Download
Step-by-step instructions for debugging IOS using gdb - Andy Davis,
2008 (iosftpexploit "at" googlemail <dot> com):

I have been asked by many people for a simple step-by-step guide for
setting up an IOS exploit development environment, which includes
connecting to a Cisco router using gdb, so here goes:

(By the way the router I connect to is a Cisco 2621XM)

Installing and configuring minicom:

In Ubuntu type "apt-get install minicom"

Connect the console port of your router to your PC using a Cisco UTP
-> DB9 cable

type "minicom -s"

Scroll down to "Serial port setup"

Set the "Serial device" to "/dev/ttyS0" (COM1 - or whatever your
router is connected to on your PC)

Set "Bps/Par/Bits" to "9600 8N1"

exit the submenu then scroll down to "Modem and dialling"

Set "Init string" and "Reset string" to be blank

exit the submenu then scroll down to "Save setup as dfl"


Type "minicom" - hit return a few times and you should have an IOS prompt

Exit minicom by typing "ctrl-a" then "x" return

Installing and configuring gdb:

Go to http://ftp.gnu.org/gnu/gdb/

Download "gdb-6.0.tar.gz" and "gdb-6.1.1.tar.gz"

tar xvfz gdb-6.0.tar.gz
tar xvfz gdb-6.1.1.tar.gz

copy "gdb-6.1.1/include/obstack.h" to "gdb-6.0/include/" (obstack.h in
gdb 6.0 is broken)

edit gdb-6.0/gdb/remote.c

on line 4261

change "static int remote_cisco_mode;" to "static int remote_cisco_mode = 1;"

edit gdb-6.0/sim/ppc/ppc-instructions

on line 1285, under "LABEL(Done):"

Add the line "(void)0;"

cd gdb-6.0/

./configure --target=powerpc-elf


make install

In your home directory create a file called ".gdbinit" containing the following:

target remote /dev/ttyS0 (or whatever port your router is connected to)

Connecting to the router using gdb:

type "minicom" to connect to the router

enter "enable mode" by typing "en" followed by the enable password

type "gdb kernel" - the router will display the following:


Type "ctrl-a" then "x" to exit minicom

type "powerpc-elf-gdb"

gdb will connect to the router via the serial cable and display the following:

GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=powerpc-elf".
warning: Relocation packet received with no symbol file. Packet Dropped

0x00000000 in ?? ()

Congratulations you are now debugging IOS ;-)

One unusual feature, which I have yet to explain is that when the
registers are displayed they are all offset by 1 e.g:

(gdb) info reg
r0 0x50 80
r1 0x1 1
r2 0x81c97498 -2117503848
r3 0x816e0000 -2123497472
r4 0x8195e054 -2120884140
r5 0x81c974b0 -2117503824
r6 0x3 3

The register displayed as r0 is a bogus value and the value of r0 is
actually 0x00000001, r1 is 0x81c97498 etc.

Another "feature" of debugging IOS with gdb is that when you set a
breakpoint and then continue running IOS, when the breakpoint is
triggered, gdb has actually overwritten the instructions at the
address at which the breakpoint was set with the value 0x7d821008 and
therefore, you need to take a note of the bytes associated with the
instruction at that address and replace them after the breakpoint has
been triggered before continuing.

To continue normal execution of IOS from within gdb:

Type "c" return
Hit ctrl-c twice
Type "y" return
Type "quit" return

Hopefully this information will promote further IOS security research



Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By