Bugtraq mailing list archives
RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques
From: "Andy Davis" <andy.davis () irmplc com>
Date: Thu, 11 Oct 2007 08:32:19 +0100
Halvar, The primary objective of the research was to understand how to create a remote high privilege shell on IOS (as Michael Lynn demonstrated at BlackHat 2005) - this was achieved and in the process, we discovered three ways of doing it. Because we had worked out how to use gdb with IOS, the easiest way for us to develop the shellcode was by using gdb to upload the code to some spare IOS memory and hook into an IOS process that was already running to execute it. The secondary objective was making the shellcode as compact as possible, with the minimal number of hard-coded function addresses as possible (due to the monolithic nature of IOS - every version will have these functions at slightly different addresses). During this process we discovered the "tiny shell" technique (demonstrated in one of the videos) - all that is required to gain a remote shell on IOS (that has at least one VTY enabled) is two 1-byte memory overwrites. The first byte modification removes access control to the VTY and the second privilege escalates to Level 15. Personally I think these techniques are pretty cool we're really pleased with the results of the research - I think it may be clearer to everyone when we release the higher resolution videos that are easier to watch. Cheers, Andy -----Original Message----- From: Halvar Flake [mailto:halvar.flake () sabre-security com] Sent: 12 October 2007 07:32 To: Andy Davis; bugtraq () securityfocus com Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Hey Andy, thanks. So the core of IRMs work is "ways of getting a Cisco shell over the network with a small/minimal number of hardcoded addresses" ? Cheers, Halvar
Current thread:
- Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Damir Rajnovic (Oct 10)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Halvar Flake (Oct 10)
- RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 11)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Halvar Flake (Oct 11)
- RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 11)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Halvar Flake (Oct 11)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Roman Medina-Heigl Hernandez (Oct 12)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Mark Senior (Oct 12)
- RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 11)
- Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Halvar Flake (Oct 10)
- <Possible follow-ups>
- RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 16)