Frankly speaking, at the time of writing, not many proper working exploits against Cisco IOS are available in the public domain. However, three well-known exploits were written by FX and the Phenoelit team:
UltimaRatioVegas is described in this chapter as the main example of how an IOS exploit can be created.
OoopSPF is outlined in the last chapter of this book.
CiscoCasumEst was mentioned in the previous chapter when talking about Cisco web interface related attacks.
In addition, two known but publicly unexplored exploitation possibilities exist namely the IPv6 crafted packet vulnerability ( http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml ) and the much older, but still very relevant NTPd service flaw ( http://www.cisco.com/warp/public/707/NTP-pub.shtml ). Unfortunately, we were under a tight schedule to release this work and didn't have a chance to do even a tenth of what was initially planned. Looking into these two vulnerabilities in detail and producing a working proof-of-concept exploit, if successful, is also a point on our TODO list. Be sure to check our companion web site for surprises. Also, do not forget that more surprises could be lurking well beneath the public security research domain, especially since the source code of some IOS versions was stolen from its legitimate owners back in 2004 and distributed via underground channels by crackers.