Cisco IOS Shellcodes - Black Hat
Cisco IOS ShellcodesGyan Chawdhary, Senior ConsultantVarun Uppal, Senior Consultant 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Agenda Background and research aimsWorked example––––– IOS DebuggingIOS Shellcode Development ToolsBuilding IOS ShellcodesBypassing Checkheaps()Potential Impact and Threat ScenariosMitigation and conclusions 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Why Investigate IOS Very little is known about the tools/techniques used byLynn to create IOS based shell codes IOS security is often overlooked in favor of OS/Host basedsecurity To demonstrate and reiterate that Cisco shell codes arepossible and not difficult to write To identify mitigating factors for any issues or loop holesfound in IOS 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Introduction to IOS Monolithic Architecture – one big ELF file Everything is tightly integrated,integrated and non modular Virtual memory scheme not fully implemented, has a flatmemory model Uses stack and heap data, however everything includingstackk is storedd in heaph 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)IOS Debugging 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Decompressing the IOS Firmwareimage IOS uses a modified pkzip format for image compression The IOS boot loader unzips the image at runtime Tools – Standard Unix “unzip”– Stuffit Expander– WinRar 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Fixing the ELF Header (1) The uncompressed IOS firmware is a standard ELF image The ELF header is slightly modified to prevent attackersfrom reverse engineering the image offlinetypedef struct{unsigned charElf32 HalfElf32 Halfe ident[EI NIDENT];e type;e machine; 2007 Information Risk Management Plc/* Magic number and other info *//* Object file type *//* Architecture */8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Fixing the ELF Header (2) As we are working with a PowerPC based Cisco router(2600) we use this as the e machine id for the targetArchitecture Using a hex editor, change the “e machine” bit to 0x14 The image will now load in IDA using PPC instruction set 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Setting up GDB (1) GDB – The GNU Debugger– IOS contains a GDB stub with limited functionality– Must be connected via a serial port– Version 6.0 was the last version to support IOS– Several tweaks to the GDB source required in order tocorrectly print addresses which would otherwise causeproblems, especially while writing shellcode to targetmemory addresses using the gdb “set” command 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Setting up GDB (2) – Editingconfig.bfd powerpcle-*-solaris2* powerpcle-*-linux-* powerpcle*-vxworks*) targ defvec bfd elf32 powerpcle vecttarg selvecs "rs6000coff vecl" 6000 ffbfdbfd elf32 powerpc veclf32ppcboot vec" targ64 selvecs "bfd elf64 powerpc vecbfd elf64 powerpcle vec" powerpcle-*-solaris2* powerpcle-*-linux-* powerpcle*-vxworks*) targ defvec bfd elf32 powerpcle vec #ttarg selvecs "rs6000coff vecl" 6000 ffbfdbfd elf32 powerpc veclf32ppcboot vec" targ64 selvecs "bfd elf64 powerpc vecbfd elf64 powerpcle vec"targ selvecs "ciscotarg selvecs cisco core big veccore big vec ieeeieee vecvec" 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Setting up GDB (3) – Editing remote.cComment out the following lines:-if (remote cisco mode(remote cisco mode 0)/* or declare global as 1 */{c readchar (remote timeout);(remote timeout);csum c;repeat c ‐ ' ' 3;/* Compute repeat count */}elseCont . 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Setting up GDB (3) /configure --target powerpcle-elf DONE - we have a fully working command line IOS serialdebugger with read, write and continue functionality. 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS software developmentenvironment GDB – The GNU Debugger(gdb) set processor powerpc-MPC8XX (using 2621XM)(gdb) target remote /dev/ttyS0(gdb) disass 0x83000000 0x8300000cDump of assembler code from 0x83000000 to 560x83000008:lisr4,00x8300000c:addir4r4,r4,60r4 60 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)IOS Shell codeDDevelopmentlt ToolsT l 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Tools We write the shell code in pure PPC assembler The GAS (GNU Assembler) is used to assemble the asmcode Opcodes are then extracted using “objdump –d”d” We use a shell script to translate the objdump output togdb “set” commands which can then be directly processedby GDB 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Jump Vector Patch (1) In order to test our shell code we patch an existing IOSfunction to execute the shell code in memory This can be achieved by constructing a .gdbinit file whichautomatically patches the router witch our jump vector. 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Jump Vector Patch (2)target remote /dev/ttyS0set *0x804A42D8 0x3d208312set *0x804A42DC 0x38093a200x804A42DC 0x38093a20set *0x804A42E0 0x7c0903a6set *0x804A42E4 0x4e800421set *0x804A42E8 0x3d20804aset *0x804A42EC 0x380943f8set *0x804A42F0 0x7c0903a6set *0x804A42F4 0x4e800421source shellcode.txt 2007 Information Risk Management PlcRemote Serial Linejump to *shellcodereturn(0)Shellcode Patch8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS GDB script (1)#!/bin/bashfile {1}base {2}#if [[ # ‐ne 2 ]]; then#echo "usage ./go.sh a.s base add "#exit#fifor i in grep ‐A200 ' 0:' {file} sed 's/ .*:\(.*\)/0x\1/' cut ‐f 1‐4 ‐d ' ' sed 's/[[:space:]]//g' ; doprintf "set *0x%X {i}\n" " {base}"base ((base 4))done 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS GDB script (2) The script takes a single base address as its argument,which will then be used to store the shell code in memory The script generates a set command list in the followingformat: set * where * what which will write the shellcode in runtime router memory 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)Programming the IOS 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS software developmentenvironment Hello World for IOS.text.equ printf,0x803C4800.global startstart: blstart2.string "Hello world!!!\n"start2: mflrlisaddimtctrbctrl 2007 Information Risk Management Plc3#address of string name is in LR77, printf@ha7,7,printf@l#address of printf into CTR7#call p#printf()()8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS software developmentenvironment Invoking IOS functionsWe will use mtctr and bctrl powerpc instuctions to invokefunctions under IOSThis is similar to attribute ((longcall)) under CTo transfer control to an IOS functionfunction, the Count Register isfirst loaded with the target address from a General-PurposeRegister using the mtctr instructionThe bctrl instruction in then called to branch to the CountRegister, which has the address of our loaded API 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
IOS software development problemsSample code:lisaddimtctrbctrl 7,, API@ha@7,7,APIf@l7##LoadAPI address in r7#Load API address in r7#move r7 to count register#branch to countUsing this method, we can invoke API’s under IOSExample:plisten(),() connect(),() bind()() 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)Building IOS ShellC dCodes 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Reversing the IOSStep 1 – Uncompress the image, fix up the ELF headerStep 2 – Load the image in IDAStep 3 – Wait forever (Use older IOS image (11.0) whichloads faster)Step 4 – Analysis: We use both static and runtime analysistools to discover interesting functions in IOS for shell codedevelopment. 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Reversing the IOSExample: IOS Finger Command - Cisco supports a finger daemon togive information about who is connected to a router The output is similar to show users command when runlocally on the system We log the output and associated strings, which are thensearched in the main image using IDA. Functions are further mapped using break points andcreating call graphs. 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Other useful commands . show memoryshow contextreload (useful for mapping checkheaps() function) 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The bind shell Four hard-coded addresses required Creates a new VTY Allocate memory for a command information structure Set a password on the VTY line Privilege escalate to “Level 15” 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The bind shellSetting the password: Command information structure 0x0a68 start VTY line Command information structure 0x0a6c end VTY line Call change pass() functionEscalating privileges: At a fixed address - array of pointers to VTY line structures We need &Array[66] Within this structure, at 0x0de4 is a password structure Set value to 0xff800000 – Level 15 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The bind shellClick image to startPlease be ppatient –its takes a littlewhile for theshellcode to startrunning 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The reverse shell Five hard-coded addresses required Creates a new VTY Privilege escalate to level 15 Opens a TCP connection Connects the VTY to the TCP connection 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The reverse shell - DemoClick image to startPlease be ppatient –its takes a littlewhile for theshellcode to startrunning 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The “2 byte rootshell” – bindshell (v2) TTY Line structure – the structure that holds privilege level TTY Line structure 0x0174 0x00000001 Set the LSB to zero and the router no longer prompts youfor any authentication credentials TTY Line structure 0xde4 0x11800000 Set the MSB to 0xff to escalate to level 15 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The “2 byte rootshell” – DemoClick image to startPlease be ppatient –its takes a littlewhile for theshellcode to startrunning 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)The CheckHeaps()Issue 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
The checkheaps() issueCheckheaps is a periodic process that verifies the sanity ofthe heap memory buffers (dynamic memory is allocatedfrom the systemyheapp memoryy region)g) and the integrityg y ofthe code region. 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Process Watch Dog Scheduler allocates a watch dog timer for each process Polls a process,process if process runs than preset period of 2seconds the scheduler regains control and generates awarning If the preset expires a 2nd time, the watch dog fires atermination request against the rouge process 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Process Watch Dog IOS allocates process priorities to each process, Critical,High, Medium and Low Critical – Resource allocation processes High – Fast Packet switching processes Medium – Default Low – Check heaps, system management processes. Being a low priority process, check heaps is killed 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
A word on Timers Used by IOS for event scheduling, context switching etc Runs a Master timertimer, and n number of slaves based on theprocess All this information is managed using a timer Linked List This linked list can be abused to overwrite arbitrarymemory locations 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Bypassing checkheaps() 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Bypassing checkheaps() First demonstrated by Michael Lynn at Black hat in 2005 Might have taken advantage of the timer linked lists tooverwrite the “crashing already” flag Cisco simply fixed the timers issue vector,vector NOT the checkheaps crashing already bug 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Example Lab Setup (1)Potential Impact andCCountermeasurest 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Potential Impact The process of building an IOS shell code can be automated IOS exploitation can be made 100% reliable when attackinginternally. Stable memory resident backdoors can be created usingthe outlined techniques in this presentation 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Countermeasures Keep the IOS firmware upto date – Not always feasible Close all unwanted services Apply ACL’s and strong access control policy 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Questions? 2007 Information Risk Management Plc8th Floor Kings Building Smith Square London SW1P 3JJTel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com
Cisco IOS Shellcodes Gyan Chawdhary, Senior Consultant . Tel : 0207 808 6420 Web: www.irmplc.com Email: info@irmplc.com. Agenda Background and research aims Worked example – IOS Debugging – IOS Shellcode Development Tools – Building IOS Shellcodes – Bypas
Oct 27, 2014 · Cisco ISR 4400 Series Cisco ISR 4300 Series Cisco ISR 4431 Cisco ISR 4321 Cisco ISR 4451 Cisco ISR 4331 Cisco ISR 4351 Table 1 Cisco IOS XE 3S–to–Cisco IOS Release Number Mapping Cisco IOS XE 3S Release Cisco IOS Release 3.14 15.5(1)S 3.13S 15.4(3)S 3
Router Software Origin Validation (RPKI RTR & BGP Modifications) available in Cisco IOS and IOS-XR Cisco IOS code available in IOS XE-3.5.0/15.1(3)S Cisco IOS platforms targeted ASR1K, 7600, ME3600/ ME3800, ASR 903 Cisco IOS-XR available in the XR-4.2.1 Cisco IOS-X
XML Conversion Draft - 03/07/2011 iii Cisco IOS Server Load Balancing Configuration Guide OL-24559-01 CONTENTS CHAPTER 1 Cisco IOS SLB Features Roadmap 1-1 CHAPTER 2 Information About Cisco IOS SLB 2-1 Overview 2-1 Benefits of IOS SLB 2-3 Cisco IOS SLB Features 2-4 Routing Features 2-4 Algorithms for Server Load Balancing 2-5 Bind ID Support 2-6
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS
The following Cisco IOS software releases support software activation on Cisco ISRs: † Cisco 3900 series, 2900 series, and 1900 series ISRs running Cisco IOS Release 15.0(1)M. – Cisco 3925E and Cisco 3945E ISR running Cisco IOS Release 15.1(1)T. † Right to Use license is supported on Cisco IOS Release 15.0(1)M4, 15.1(1)T2, 15.1(2)T2, 15.1 .
Cisco 2951 ISR, Cisco 3925 ISR, Cisco 3925E ISR, Cisco 3945 ISR, and Cisco 3945E ISR, running Cisco IOS Release 15.1.2.T3. 1.5 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the following router models Cisco 881 ISR, Cisco 881G ISR, Cisco 891 ISR, Cisco 1905 ISR, Cisco 1921 ISR, Cisco
Tulang-tulang pembentuk rangka tubuh . 12 3. Tulang-tulang di regio manus tampak . Anatomi hewan ini yang dipelajari adalah anatomi tubuh hewan piara. Pelaksanaan perkuliahan dan praktikum anatomi hewan dilakukan setiap minggu sesuai jadwal dengan beban 3 sks (1-2) pada mahasiswa semester 1. Pelaksanaan meliputi tutorial, pretest, praktikum di laboratorium, pembuatan laporan, dan ujian .
