Cisco IOS Shellcode Demonstration

Fugitif · 13 Nov 2007

Embedded Systems Security

High quality versions of the three Cisco IOS shellcode demonstration

Please note that each shellcode (written in PowerPC assembly language) is being launched from GDB within a development environment rather than as the payload to an exploit. The "Development server" is connected to the Cisco router (2600 Series) via a serial cable (for GDB debugging) and via Ethernet (for TCP/IP communications).

It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds. When each starts running, the arbitrary text "<args-warning>" is displayed on the console to indicate successful execution of the shellcode.
Click to expand...

Bind Shell

· Requires four hard-coded addresses of functions within IOS

· Creates a new VTY

· Sets a password on the VTY

· Privilege escalates to level 15

Video: Bind Shell

http://www.irmplc.com/content/videos/bindshell/bindshell.html

Reverse Shell

· Requires five hard-coded addresses of functions within IOS

· Creates a new VTY

· Privilege escalates to level 15

· Opens a new TCP connection

· Binds the VTY to the TCP connection

Video: Reverse Shell

http://www.irmplc.com/content/videos/reverseshell_final/reverseshell_final.html

Two byte rootshell or Tiny Shell

· Requires up to one (sometimes none) hard-coded addresses within IOS

· Removes the requirement to authenticate to a currently active VTY

· Privilege escalates to level 15

Video: "Two byte rootshell" or Tiny Shell

http://www.irmplc.com/content/videos/tinyshell_final/tinyshell_final.html

More Info:

http://www.irmplc.com/index.php/153-Embedded-Systems-Security

Useful Searches

Cisco IOS Shellcode Demonstration

Fugitif Elder - Старейшина