IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

["Andy Davis" <andy.davis () irmplc com>]

In August 2005 at Black Hat Las Vegas, Michael Lynn delivered his
infamous presentation entitled "Cisco IOS Shellcode and Exploitation
Techniques". For the first time ever, remote exploitation of Cisco IOS
was publicly demonstrated using shellcode that spawned a connect-back or
"reverse" shell. His shellcode was never released outside Cisco.

Over the last few months IRM have been researching the security of Cisco
IOS which has resulted in the discovery of a series of serious security
vulnerabilities (including three new stack overflows). Advisories and
associated IOS patches will be released over the coming months, starting
with the first - a co-ordinated release between IRM and Cisco at 12:00
EST today (http://www.irmplc.com/index.php/107-Advisories)

During the research, three shellcode payloads for IOS exploits were
developed - a "reverse" shell, a password-protected "bind" shell and
another "bind" shell that is achieved using only two 1-byte memory
overwrites. IRM have produced videos demonstrating each of these
payloads in action within a development environment. They can be viewed
here:

http://www.irmplc.com/index.php/153-Embedded-Systems-Security