IOS FEATURES AND COMMANDS THAT CAN BE (AB)USED BY REVERSE ENGINEERS

IOS FEATURES AND COMMANDS THAT CAN BE (AB)USED BY REVERSE ENGINEERS

Let's review methods for finding IOS library functions. Knowing them would greatly assist the exploit writer in his or her work. How can we do this and perform other reverse engineering tasks by the system itself? Cisco IOS has an inbuilt GDB debugger that has limited capabilities but nevertheless works. You can learn a bit more about it in Chapter 10 of this book, where we discuss the use of IOS binary image patching for malicious purposes.

You can also use an IOS feature that allows you to force the core dump using the exception command with a variety of arguments, as shown here:

 c2600(config)#exception ?        core-file            Set name of core dump file        crashinfo            Crashinfo collection        dump                 Set name of host to dump to        flash                Set the device and erase permission        memory               Memory leak debugging        protocol             Set protocol for sending core file        region-size          Size of region for exception-time memory pool        spurious-interrupt   Crash after a given number of spurious interrupts 

If a TFTP server is used to dump the core, only the first 16MB of the core will be dumped. Thus, we recommend that you use FTP, rcp, or a Flash disk, unless your router RAM is less than 16MB in size. You can trigger a core dump with a write core privileged EXEC mode command. Alternatively, some of the exception command arguments shown in the preceding output can be preset to describe the conditions under which the core dump is going to take place:

 c2600(config)#exception memory ?        fragment   Crash if we can't allocate contiguous memory above limit        minimum    Crash if free memory pool shrinks below limit      c2600(config)#exception spurious-interrupt ?      <1-4294967295> Spurious interrupt threshold 

A hidden IOS debug sanity command (see Appendix C), entered when setting up the core dump configuration, can also come in very handy. When debug sanity is turned on, every buffer used in the system is sanity-checked when allocated and freed. If this command is available on your particular IOS version, it should provide the following output:

 c2600#debug sanity      Buffer pool sanity debugging is on      c2600#undebug sanity      Buffer pool sanity debugging is off 

For the analysis of IOS core dumps, a casual UNIX GDB debugger would suffice, as long as it was configured and compiled by setting Cisco and a processor type of the investigated router series as a targetlike so, for example:

 ./configure --target m68k-cisco && make 

In addition to the possible use of both embedded and external GDB and dumping the router memory with the exception command, don't forget about many IOS commands we have already used in this chapter. Such commands, including show memory , show stack , show context , and various IOS debug functions, can be used by reverse engineers as valuable research tools.