Cisco IOS Shellcode Presentation

["Eric Lauzon" <eric.lauzon () abovesecurity com>]

> On Fri, 29 Jul 2005, Eric Lauzon wrote:
>
> : 
> :So mutch fuss....its all so new ..
> :
> :
> :http://www.phrack.org/phrack/56/p56-0x0a
> :
> :
> :-elz
>
> I don't get your point; it obviously seems you're trying to be 
> sarcastic.
>
> I think, if you realize what you're talking about, the point of the 
> talk was the idea of reliably being able to exploit a IOS 
> vulnerability.
> Reliably meaning having the cisco box not reboot on you (or other 
> various scenarios that could occur).
>
> Gaius has some good information there, but there's a difference 
> between being on a router and plugging in backdoor code and actually 
> being able to get onto the router via an exploit.
>
> So what was the key point?  CHECK HEAPS -- the idle proc that kicks in

> to validate heap management structures.  Think about
> malloc() bugs (double free()'s and stuff) that were talked about a few

> years back... Those were easier to exploit b/c they didn't have a 
> check heaps code that kicks in...

I am stating that exploiting IOS flaw is nothing so new to the world.

In conclusion, if IOS can be backdoored it can be exploited as any other
os/arch due to design flaws.

Still people talk about vulnerability when credential can be stolen and
IOS can be replaced, in my book the two are not so far, exploit or use
of stolen credential to backdoor. Because in the end you still want to
keep control ;)


-elz
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/