RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

["Andy Davis" <andy.davis () irmplc com>]

Halvar,

The primary objective of the research was to understand how to create a
remote high privilege shell on IOS (as Michael Lynn demonstrated at
BlackHat 2005) - this was achieved and in the process, we discovered
three ways of doing it. Because we had worked out how to use gdb with
IOS, the easiest way for us to develop the shellcode was by using gdb to
upload the code to some spare IOS memory and hook into an IOS process
that was already running to execute it.

The secondary objective was making the shellcode as compact as possible,
with the minimal number of hard-coded function addresses as possible
(due to the monolithic nature of IOS - every version will have these
functions at slightly different addresses). During this process we
discovered the "tiny shell" technique (demonstrated in one of the
videos) - all that is required to gain a remote shell on IOS (that has
at least one VTY enabled) is two 1-byte memory overwrites. The first
byte modification removes access control to the VTY and the second
privilege escalates to Level 15.

Personally I think these techniques are pretty cool we're really pleased
with the results of the research - I think it may be clearer to everyone
when we release the higher resolution videos that are easier to watch.

Cheers,

Andy

-----Original Message-----
From: Halvar Flake [mailto:halvar.flake () sabre-security com] 
Sent: 12 October 2007 07:32
To: Andy Davis; bugtraq () securityfocus com
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

Hey Andy,

thanks. So the core of IRMs work is "ways of getting a Cisco shell over
the 
network
with a small/minimal number of hardcoded addresses" ?

Cheers,
Halvar