| ||
While a few disassembly aspects of IOS binary images are described in Chapter 10, here we are interested in working with a live system. Let's look at the few tricks attackers may employ if they decide to follow the dangerous reverse engineering path .
First of all, a cracker will need the tools suitable for both disassembly and shellcode construction. He would also need decent documentation about the CPU of a targeted router type. The majority of Cisco routers deployed on the modern Internet are probably using PPC family processorsfor example, the MPC860 chip in Cisco 2600 series. Some excellent documentation about the PPC processor family can be found at the manufacturer's site, https ://www.freescale.com . As for the free assembly and disassembly tools for the masses, this niche is likely to be taken by the GNU binutils, which can be downloaded from http://www.gnu.org/software/binutils/ or many other mirror sites. GNU binutils come with both assembly and disassembly tools.
As listed on the binutils site, this toolkit currently includes the following:
Id The GNU linker
as The GNU assembler
addr2line Converts addresses into filenames and line numbers
ar Creates, modifies, and extracts from archives
c++filt Filter that demangles encoded C++ symbols
gprof Displays profiling information
nlmconv Converts object code into a NetWare Loadable Module (NLM)
nm Lists symbols from object files
objcopy Copies and translates object files
objdump Displays information from object files
ranlib Generates an index to the contents of an archive
readelf Displays information from any executable and linking format (ELF) object file
size Lists the section sizes of an object or archive file
strings Lists printable strings from files
strip Discards symbols
windres A compiler for Windows resource files
After this basic introduction to readily obtainable reverse engineering documentation and tools, let's briefly discuss Michael Lynn's Black Hat presentation story. (We are only touching on it here as we can't legally discuss a banned presentationonly a story linked with it.) Michael described how to find some functions vital for the construction of a complete shellcode in Cisco IOS. These functions include the following:
Functions for working with memory malloc , for memory allocation
Process management- related functions CreateThread , for creating the process, and Exit , for correct exit from the main process
TTY management-related functions allocateTTY for setting up TTY
Networking-related functions sockets (the mysterious socket-like TCBs are used), TCBCreate , and Connect . It could be that the BSD sockets are present as macros, using the TCBs.
For a variety of ( mainly legal) reasons, we cannot include Michael's entire presentation here, but that doesn't stop us from adding our two cents . The process management C function CreateThread () was shown by Michael, as follows :
void *CreateThread(void *entryPoint, char *name, int something, int dunno);
From what we could see, int something is actually the stack size and int dunno is the process priority, and it didn't take us long to discover this. So this function really looks like this:
void *CreateThread(void *entryPoint, char *name, int stack_size, int process_priority);
Michael has described everything necessary for creating fully functional IOS shellcode. Just take the kill () function example: an attacker can kill his main enemythe Check Heaps processthen bring down the Syslog Manager, which would obviously give him a huge advantage. The main problem with developing such shellcode is that it would still be bound to the specific releases of the IOS compilation, since all entry points in a function are static only for the selected IOS release. The fake memory block games suffer from exactly the same problem: all values are still static for the selected IOS release. A possible solution for a penetration tester is to create a whole collection of shellcodes for the different IOS releases and plug them into the Metasploit Framework ( http://www.metasploit.com/projects/Framework/ ). More work on this project is on our vast to-do list and, no doubt, on the wish lists of many security consultants worldwide.
For a Cisco 2600 router family, for example, compile the necessary tools from binutils with the ./configure target=ppc-elf setting. If an attacker wants to disassemble using objdump , he will present a needed memory block in a router console, capture it, and edit this data to remove unnecessary output. Then the disassembly would be done without any problems by employing a command like this:
arhontus#/opt/ppc/bin/ppc-elf-objdump -b binary -m <your processor here --endian=big --disassemble-all captured.bin > captured.disasm
| ||