¼¼Êõ¹²Ïí¡ª¡ªCiscoIOS½ø³Ìµ÷ÊÔ
ÈÕÆÚ£º2006-06-01 ¼ö£º
¡¡¡¡Ciscox notes (Anthony C. Zboralski Gaius)¡¡¡¡¡¡¡¡Research is being done on a useless Cisco 1600 with 4 megs of flash running IOS 11.1.¡¡¡¡
¡¡¡¡Recently after writting my first cisco warez (tunnelx), I told myself hey we need to find a way to inject arbitrary code, poke and peek at the memory¡¡¡¡on a cisco, hide interfaces, route-maps, access-lists.¡¡¡¡¡¡¡¡Let's look around:¡¡¡¡¡¡¡¡scep#show proc¡¡¡¡CPU utilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%¡¡¡¡PID QTy¡¡¡¡¡¡ PC Runtime (ms)¡¡¡¡Invoked¡¡ uSecs¡¡¡¡Stacks TTY Process¡¡¡¡1 M*¡¡¡¡¡¡¡¡ 0¡¡¡¡¡¡¡¡ 1248¡¡¡¡¡¡¡¡107¡¡ 11663 2204/4000¡¡ 1 Virtual Exec¡¡¡¡2 Lst¡¡802DF16¡¡¡¡¡¡¡¡34668¡¡¡¡¡¡¡¡313¡¡110760 1760/2000¡¡ 0 Check heaps¡¡¡¡3 Cwe¡¡801D5DE¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡1¡¡¡¡¡¡ 0 1736/2000¡¡ 0 Pool Manager¡¡¡¡4 Mst¡¡8058B20¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡2¡¡¡¡¡¡ 0 1708/2000¡¡ 0 Timers¡¡¡¡5 Lwe¡¡80BFD4A¡¡¡¡¡¡¡¡¡¡ 24¡¡¡¡¡¡¡¡ 46¡¡¡¡ 521 1448/2000¡¡ 0 ARP Input¡¡¡¡6 Mwe¡¡81F78F0¡¡¡¡¡¡¡¡¡¡¡¡4¡¡¡¡¡¡¡¡¡¡1¡¡¡¡4000 1744/2000¡¡ 0 SERIAL A'detect¡¡¡¡7 Lwe¡¡80D935A¡¡¡¡¡¡¡¡¡¡¡¡4¡¡¡¡¡¡¡¡¡¡1¡¡¡¡4000 1656/2000¡¡ 0 Probe Input¡¡¡¡8 Mwe¡¡80D8CD6¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡1¡¡¡¡¡¡ 0 1744/2000¡¡ 0 RARP Input¡¡¡¡9 Hwe¡¡80CA966¡¡¡¡¡¡¡¡¡¡ 80¡¡¡¡¡¡¡¡ 89¡¡¡¡ 898 3116/4000¡¡ 0 IP Input¡¡¡¡10 Mwe¡¡80F41BA¡¡¡¡¡¡¡¡¡¡ 16¡¡¡¡¡¡¡¡322¡¡¡¡¡¡49 1348/2000¡¡ 0 TCP Timer¡¡¡¡11 Lwe¡¡80F5EB8¡¡¡¡¡¡¡¡¡¡¡¡8¡¡¡¡¡¡¡¡¡¡3¡¡¡¡2666 3244/4000¡¡ 0 TCP Protocols¡¡¡¡12 Mwe¡¡813785E¡¡¡¡¡¡¡¡¡¡ 80¡¡¡¡¡¡¡¡177¡¡¡¡ 451 1588/2000¡¡ 0 CDP Protocol¡¡¡¡13 Mwe¡¡80D5770¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡1¡¡¡¡¡¡ 0 1620/2000¡¡ 0 BOOTP Server¡¡¡¡14 Mwe¡¡81112C0¡¡¡¡¡¡¡¡ 1356¡¡¡¡¡¡ 1522¡¡¡¡ 890 1592/2000¡¡ 0 IP Background¡¡¡¡15 Lsi¡¡8121298¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡ 25¡¡¡¡¡¡ 0 1792/2000¡¡ 0 IP Cache Ager¡¡¡¡16 Cwe¡¡80237BE¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡1¡¡¡¡¡¡ 0 1748/2000¡¡ 0 Critical Bkgnd¡¡¡¡17 Mwe¡¡802365A¡¡¡¡¡¡¡¡¡¡ 12¡¡¡¡¡¡¡¡¡¡5¡¡¡¡2400 1476/2000¡¡ 0 Net Background¡¡¡¡18 Lwe¡¡804E82E¡¡¡¡¡¡¡¡¡¡ 16¡¡¡¡¡¡¡¡¡¡4¡¡¡¡4000 1192/2000¡¡ 0 Logger¡¡¡¡19 Msp¡¡80456DE¡¡¡¡¡¡¡¡¡¡ 80¡¡¡¡¡¡ 1493¡¡¡¡¡¡53 1728/2000¡¡ 0 TTY Background¡¡¡¡20 Msp¡¡802345C¡¡¡¡¡¡¡¡¡¡ 20¡¡¡¡¡¡ 1494¡¡¡¡¡¡13 1800/2000¡¡ 0 Per-Second Jobs¡¡¡¡21 Msp¡¡80233F2¡¡¡¡¡¡¡¡¡¡ 68¡¡¡¡¡¡ 1494¡¡¡¡¡¡45 1488/2000¡¡ 0 Net Periodic¡¡¡¡22 Hwe¡¡80234DC¡¡¡¡¡¡¡¡¡¡¡¡4¡¡¡¡¡¡¡¡¡¡1¡¡¡¡4000 1724/2000¡¡ 0 Net Input¡¡¡¡23 Msp¡¡8023482¡¡¡¡¡¡¡¡¡¡772¡¡¡¡¡¡¡¡ 25¡¡ 30880 1800/2000¡¡ 0 Per-minute Jobs¡¡¡¡24 Lwe¡¡8109834¡¡¡¡¡¡¡¡¡¡¡¡4¡¡¡¡¡¡¡¡¡¡2¡¡¡¡2000 3620/4000¡¡ 0 IP SNMP¡¡¡¡25 Mwe¡¡815CE08¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡¡¡1¡¡¡¡¡¡ 0 1712/2000¡¡ 0 SNMP Traps¡¡¡¡26 ME¡¡ 811805A¡¡¡¡¡¡¡¡¡¡¡¡0¡¡¡¡¡¡¡¡ 26¡¡¡¡¡¡ 0 1892/2000¡¡ 0 IP-RT Background¡¡¡¡27 ME¡¡ 803B0F8¡¡¡¡¡¡¡¡¡¡ 32¡¡¡¡¡¡¡¡ 11¡¡¡¡2909 2760/4000¡¡ 2 Virtual Exec¡¡¡¡¡¡¡¡now you can even dump the memory with 'show memory'. Good but there isn't a write memory command, too bad. Maybe not...¡¡¡¡¡¡¡¡I started looking for undocumented and hidden commands and found quite a bunch of them.¡¡¡¡¡¡¡¡Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.¡¡¡¡¡¡¡¡The IOS gdb command offers three subcommands:¡¡¡¡¡¡¡¡gdb¡¡¡¡debug¡¡ PID¡¡¡¡examine PID¡¡¡¡kernel¡¡¡¡¡¡¡¡the kernel subcommand works only on the console.¡¡¡¡However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.¡¡¡¡¡¡¡¡scep#gdb debug 27¡¡¡¡||||¡¡¡¡¡¡¡¡oops..¡¡¡¡¡¡¡¡Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.¡¡¡¡mkdir m68k-cisco¡¡¡¡../configure --target m68k-cisco¡¡¡¡make¡¡¡¡¡¡¡¡if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.¡¡¡¡¡¡¡¡now type make install and you should have a m68-cisco-gdb binary in your path.¡¡¡¡¡¡¡¡fire# m68k-cisco-gdb¡¡¡¡GNU gdb 4.18¡¡¡¡Copyright 1998 Free Software Foundation, Inc.¡¡¡¡GDB is free software, covered by the GNU General Public License, and you are¡¡¡¡welcome to change it and/or distribute copies of it under certain conditions.¡¡¡¡Type "show copying" to see the conditions.¡¡¡¡There is absolutely no warranty for GDB.¡¡Type "show warranty" for details.¡¡¡¡This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".¡¡¡¡(cisco-68k-gdb)¡¡¡¡¡¡¡¡my cisco 1600 is connected to /dev/ttyS0,¡¡¡¡scep>en¡¡¡¡Password:¡¡¡¡scep#gdb debug 18¡¡¡¡¡¡¡¡scep#¡¡¡¡¡¡¡¡As you can see it bails out if you hit return. while examine works it seems.¡¡¡¡¡¡¡¡scep#gdb examine 18¡¡¡¡||||¡¡¡¡¡¡¡¡now the console seems locked.¡¡¡¡go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
¡¡¡¡added.¡¡¡¡¡¡¡¡IOS gdbserver implementation¡¡¡¡Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.¡¡¡¡I didn't have to test every command by hand.. let's just say I have¡¡reliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:¡¡¡¡¡¡¡¡Request¡¡¡¡¡¡¡¡Packet¡¡¡¡¡¡¡¡read registers¡¡¡¡g¡¡¡¡write regs¡¡¡¡¡¡¡¡GXX..XX¡¡¡¡¡¡¡¡Each byte of register data¡¡¡¡is described by two hex digits.¡¡¡¡Registers are in the internal order¡¡¡¡for GDB, and the bytes in a register¡¡¡¡are in the same order the machine uses.¡¡¡¡read mem¡¡¡¡¡¡¡¡mAA..AA,LLLL¡¡¡¡AA..AA is address, LLLL is length.¡¡¡¡write mem¡¡¡¡¡¡¡¡MAA..AA,LLLL:XX..XX¡¡¡¡AA..AA is address,¡¡¡¡LLLL is number of bytes,¡¡¡¡XX..XX is data¡¡¡¡continue¡¡¡¡¡¡¡¡cAA.AA¡¡¡¡¡¡¡¡AA..AA is address to resume¡¡¡¡IF AA..AA is omitted¡¡¡¡resume at same address.¡¡¡¡step¡¡¡¡¡¡¡¡¡¡¡¡sAA..AA¡¡¡¡¡¡¡¡AA..AA is address to resume¡¡¡¡If AA..AA is omitted,¡¡¡¡resume at same address.¡¡¡¡¡¡¡¡kill request¡¡¡¡¡¡¡¡k¡¡¡¡last signal¡¡¡¡¡¡¡¡?¡¡¡¡¡¡¡¡Reply the current reason for stopping.¡¡¡¡This is the same reply as is generated¡¡¡¡for step or cont : SAA where AA is the¡¡¡¡signal number.¡¡¡¡toggle debug¡¡¡¡¡¡¡¡d¡¡¡¡¡¡¡¡toggle debug flag (see 386 & 68k stubs)¡¡¡¡¡¡¡¡All other commands will be ignored... too bad 'search' isn't implemented.¡¡¡¡¡¡¡¡The protocol is simple, quoting remote.c comments:¡¡¡¡¡¡¡¡A debug packet whose contents are <data> is encapsulated for transmission in the form.¡¡¡¡$ <data> # CSUM1 CSUM2¡¡¡¡¡¡¡¡<data> must be ASCII alphanumeric and cannot include characters¡¡¡¡'$' or '#'.¡¡If <data> starts with two characters followed by¡¡¡¡':', then the existing stubs interpret this as a sequence number.¡¡¡¡¡¡¡¡CSUM1 and CSUM2 are ascii hex representation of an 8-bit checksum of <data>, the most significant nibble is sent first.¡¡¡¡the hex digits 0-9,a-f are used.¡¡¡¡¡¡¡¡Before trying to make gdb work i wrote a little program that computed the right checksum:¡¡¡¡¡¡¡¡#include <stdio.h>¡¡¡¡unsigned char const hexchars[] = "0123456789abcdef";¡¡¡¡char tohexchar (unsigned char c)¡¡¡¡{¡¡¡¡c &= 0x0f;¡¡¡¡return(hexchars[c]);¡¡¡¡}¡¡¡¡¡¡¡¡int main(int argc, char **argv)¡¡¡¡{¡¡¡¡unsigned char checksum;¡¡¡¡int count;¡¡¡¡char *command;¡¡¡¡char ch;¡¡¡¡if (argc <= 1)¡¡¡¡exit(1);¡¡¡¡printf("gdb protocol command: ");¡¡¡¡command = argv[1];¡¡¡¡putchar ('$');¡¡¡¡checksum = count = 0;¡¡¡¡while ((ch = command[count]))¡¡¡¡{¡¡¡¡putchar(ch);¡¡¡¡checksum = ch;¡¡¡¡count ;¡¡¡¡}¡¡¡¡putchar('#');¡¡¡¡putchar(tohexchar(checksum >> 4));¡¡¡¡putchar(tohexchar(checksum));¡¡¡¡putchar(' ');¡¡¡¡}¡¡¡¡¡¡¡¡./gdbproto g¡¡¡¡gdb protocol command: $g#67¡¡¡¡¡¡¡¡now paste that on the |||| prompt and you get register output:¡¡¡¡scep
±êÇ©£º