A MINIMALISTIC REVERSE ENGINEERING ARSENAL

While a few disassembly aspects of IOS binary images are described in Chapter 10, here we are interested in working with a live system. Let's look at the few tricks attackers may employ if they decide to follow the dangerous reverse engineering path .

First of all, a cracker will need the tools suitable for both disassembly and shellcode construction. He would also need decent documentation about the CPU of a targeted router type. The majority of Cisco routers deployed on the modern Internet are probably using PPC family processorsfor example, the MPC860 chip in Cisco 2600 series. Some excellent documentation about the PPC processor family can be found at the manufacturer's site, https ://www.freescale.com . As for the free assembly and disassembly tools for the masses, this niche is likely to be taken by the GNU binutils, which can be downloaded from http://www.gnu.org/software/binutils/ or many other mirror sites. GNU binutils come with both assembly and disassembly tools.

As listed on the binutils site, this toolkit currently includes the following:

  • Id The GNU linker

  • as The GNU assembler

  • addr2line Converts addresses into filenames and line numbers

  • ar Creates, modifies, and extracts from archives

  • c++filt Filter that demangles encoded C++ symbols

  • gprof Displays profiling information

  • nlmconv Converts object code into a NetWare Loadable Module (NLM)

  • nm Lists symbols from object files

  • objcopy Copies and translates object files

  • objdump Displays information from object files

  • ranlib Generates an index to the contents of an archive

  • readelf Displays information from any executable and linking format (ELF) object file

  • size Lists the section sizes of an object or archive file

  • strings Lists printable strings from files

  • strip Discards symbols

  • windres A compiler for Windows resource files

image from book
Lessons from Michael Lynn's Black Hat Presentation

After this basic introduction to readily obtainable reverse engineering documentation and tools, let's briefly discuss Michael Lynn's Black Hat presentation story. (We are only touching on it here as we can't legally discuss a banned presentationonly a story linked with it.) Michael described how to find some functions vital for the construction of a complete shellcode in Cisco IOS. These functions include the following:

  • Functions for working with memory malloc , for memory allocation

  • Process management- related functions CreateThread , for creating the process, and Exit , for correct exit from the main process

  • TTY management-related functions allocateTTY for setting up TTY

  • Networking-related functions sockets (the mysterious socket-like TCBs are used), TCBCreate , and Connect . It could be that the BSD sockets are present as macros, using the TCBs.

image from book
 

For a variety of ( mainly legal) reasons, we cannot include Michael's entire presentation here, but that doesn't stop us from adding our two cents . The process management C function CreateThread () was shown by Michael, as follows :

 void *CreateThread(void *entryPoint,                                          char *name,                                          int something,                                          int dunno); 

From what we could see, int something is actually the stack size and int dunno is the process priority, and it didn't take us long to discover this. So this function really looks like this:

 void *CreateThread(void *entryPoint,                                          char *name,                                          int stack_size,                                          int process_priority); 

Michael has described everything necessary for creating fully functional IOS shellcode. Just take the kill () function example: an attacker can kill his main enemythe Check Heaps processthen bring down the Syslog Manager, which would obviously give him a huge advantage. The main problem with developing such shellcode is that it would still be bound to the specific releases of the IOS compilation, since all entry points in a function are static only for the selected IOS release. The fake memory block games suffer from exactly the same problem: all values are still static for the selected IOS release. A possible solution for a penetration tester is to create a whole collection of shellcodes for the different IOS releases and plug them into the Metasploit Framework ( http://www.metasploit.com/projects/Framework/ ). More work on this project is on our vast to-do list and, no doubt, on the wish lists of many security consultants worldwide.

For a Cisco 2600 router family, for example, compile the necessary tools from binutils with the ./configure target=ppc-elf setting. If an attacker wants to disassemble using objdump , he will present a needed memory block in a router console, capture it, and edit this data to remove unnecessary output. Then the disassembly would be done without any problems by employing a command like this:

 arhontus#/opt/ppc/bin/ppc-elf-objdump -b binary -m <your processor here      --endian=big --disassemble-all captured.bin > captured.disasm 


Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net