Let's review methods for finding IOS library functions. Knowing them would greatly assist the exploit writer in his or her work. How can we do this and perform other reverse engineering tasks by the system itself? Cisco IOS has an inbuilt GDB debugger that has limited capabilities but nevertheless works. You can learn a bit more about it in Chapter 10 of this book, where we discuss the use of IOS binary image patching for malicious purposes.
You can also use an IOS feature that allows you to force the core dump using the exception command with a variety of arguments, as shown here:
c2600(config)#exception ? core-file Set name of core dump file crashinfo Crashinfo collection dump Set name of host to dump to flash Set the device and erase permission memory Memory leak debugging protocol Set protocol for sending core file region-size Size of region for exception-time memory pool spurious-interrupt Crash after a given number of spurious interrupts
If a TFTP server is used to dump the core, only the first 16MB of the core will be dumped. Thus, we recommend that you use FTP, rcp, or a Flash disk, unless your router RAM is less than 16MB in size. You can trigger a core dump with a write core privileged EXEC mode command. Alternatively, some of the exception command arguments shown in the preceding output can be preset to describe the conditions under which the core dump is going to take place:
c2600(config)#exception memory ? fragment Crash if we can't allocate contiguous memory above limit minimum Crash if free memory pool shrinks below limit c2600(config)#exception spurious-interrupt ? <1-4294967295> Spurious interrupt threshold
A hidden IOS debug sanity command (see Appendix C), entered when setting up the core dump configuration, can also come in very handy. When debug sanity is turned on, every buffer used in the system is sanity-checked when allocated and freed. If this command is available on your particular IOS version, it should provide the following output:
c2600#debug sanity Buffer pool sanity debugging is on c2600#undebug sanity Buffer pool sanity debugging is off
For the analysis of IOS core dumps, a casual UNIX GDB debugger would suffice, as long as it was configured and compiled by setting Cisco and a processor type of the investigated router series as a targetlike so, for example:
./configure --target m68k-cisco && make
A lot of useful information about specifying targets for GDB can be viewed at http://www.ftp.gnu.org/pub/gnu/Manuals/gdb-5.1.1/html_chapter/gdb_15.html, and we are not going to replicate it here.
In addition to the possible use of both embedded and external GDB and dumping the router memory with the exception command, don't forget about many IOS commands we have already used in this chapter. Such commands, including show memory , show stack , show context , and various IOS debug functions, can be used by reverse engineers as valuable research tools.