As for the IOS shellcode development, the story continues. Until recently, Cisco IOS remained in the shadows, without any new shellcode examples and materials devoted to their development being published. This lasted until Michael Lynn picked up a disassembler and demonstrated the results of his experiments at the infamous "silenced presentation" during the Black Hat 2005 conference. (See "Lessons from Michael Lynn's Black Hat Presentation" at the end of the chapter.) We cannot end this chapter without making a few points about IOS disassembly by hackers. But first of all, be forewarned and take into account the legal side of such security research and its possible repercussions . The Cisco End User License Agreement, available at http://www.cisco.com/en/US/products/prod_warranties_item09186a008025c927.html , states in the "General Limitations" section that the
Customer acknowledges that the Software and Documentation contain trade secrets of Cisco, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically agrees not to: reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction;
Of course, along with the license restrictions, you are also subject to the laws of the country in which you work. To say the least, these laws are not particularly reverse engineerfriendly.
However, describing a search for new vulnerabilities (or uses of the unknown to the general public capabilities of close source software products) is impossible without mentioning decompilation , decryption , and disassembly . Generally speaking, disassembly is like sex in the good old USSR: everyone has it, but no one is supposed to talk about it to the press or on TV. Legally, we cannot go deeply into the IOS reverse engineering process in this book. Nevertheless, a general and simple outline of how attackers may tackle it seems appropriate.