Professional Documents
Culture Documents
3 Version 12.1(3r)T1
2 Version 12.1(3r)T2
1
0 Version 12.2(10r)1
Version 12.2(6r)
Version 12.2(7r)XM1
5
4
3
2 memcpy() D-Cache
1 return Memory
0
CPU
AAAA…AAAAA
I-Cache
More Code Reuse
stwu %sp,
sp, -0x10(%sp)
E
D The Bootstrap code mflr
stw
stw
%r0
%r31, 0x10+var_4(%sp)
%r0, 0x10+arg_4(%sp)
C
B
A
already brings bl
mr
Disable_Interrupts
%r31, %r3
mfspr %r0, dc_cst
9
8
functionality that we cmpwi
bge
cr1, %r0, 0
cr1, NoDataCache
7
6 need: bl
bl
bl
Flush_Data_Cache
Unlock_Data_Cache
Disable_Data_Cache
5
4 Disable all caches! NoDataCache:
NoDataCache:
bl Invalidate_Instruction_Cache
3 bl Unlock_Instruction_Cache
2 bl Disable_Instruction_Cache
1 mfmsr %r0
0 rlwinm %r0, %r0, 0,28,25
ROMMON
Getting away with it
E
D
Reliable code execution is nice, but an attacker
C needs the device to stay running
B
A We can’t just keep running our shellcode, remember the
9
8 Windows 95 scheduler?
7
6 Andy Davis et al have called the TerminateProcess
5 function of IOS
4
3 Needs the address of this function, which is again image
2
1 dependent
0
Exactly what is not wanted!
Crucial processes should not be terminated
IP Options vulnerability exploits “IP Input”
Getting away with it
41414141
Buffer
E 41414141
Buffer
D Remember the stack layout? 41414141
Buffer
C
B We search the stack for a stack frame 41414141
Buffer
A
9 sequence of SP&LR upwards VALUE
saved R30
8 DEST.PTR
saved R31
7 Once found, we restore the stack pointer
6 41414141
saved SP
5 and return to the caller
4 FUNC_02
saved LR
3 This is reliable across images, as the saved R28
2
1 call stack layout does not change saved R29
0
dramatically over releases saved R30
saved R31
This has been shown to be mostly true on
saved SP
other well exploited platforms
saved LR
stuff
The Downside of ROMMON
E
D You need to have a copy of the respective
C
B
A
ROMMON for disassembly
9
8 ROMMON updates are available on CCO
7
6 The interesting (read: old) versions are not
5
4
3 You cannot remotely fingerprint ROMMON
2
1 It is unused dormant code
0
You still need to know what hardware
platform you are dealing with
Alternatives to ROMMON
E
D What if we could use the same technique, but
C
B
return into the IOS image code?
A We can remotely fingerprint the IOS image
9
8
7
But aren’t the image addresses all random?
6 Well, that’s exactly the question
5
4
3
Performing an extensive search over multiple IOS
2
1
images for the same platform
0 Requiring a BLR instruction
Requiring LR restore via stack (R1)
Requiring write to pointer in R26-R31
Requiring single basic block
Code Similarity (4 images)
c2600-a3jk8s-mz.122-28c c2600-a3jk8s-mz.122-29b c2600-a3jk8s-mz.122-37 c2600-a3jk8s-mz.122-46
E
8001435c stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31)
D 80014360 li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30)
C 80014364 sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27)
B 80014368 mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9)
A 8001436c lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30)
9 80014370 mtlr r0 stw r29,36(r30) mtlr r0 stw r29,36(r30)
8 80014374 lwz r27,12(r1) li r0,36 lwz r27,12(r1) li r0,36
7 80014378 lwz r28,16(r1) sth r0,68(r30) lwz r28,16(r1) sth r0,68(r30)
6 8001437c lwz r29,20(r1) mr r3,r30 lwz r29,20(r1) mr r3,r30
5 80014380 lwz r30,24(r1) lwz r0,36(r1) lwz r30,24(r1) lwz r0,36(r1)
4 80014384 lwz r31,28(r1) mtlr r0 lwz r31,28(r1) mtlr r0
3 80014388 addi r1,r1,32 lwz r27,12(r1) addi r1,r1,32 lwz r27,12(r1)
2 8001438c blr lwz r28,16(r1) blr lwz r28,16(r1)
1 80014390 lwz r29,20(r1) lwz r29,20(r1)
0 80014394 lwz r30,24(r1) lwz r30,24(r1)
80014398 lwz r31,28(r1) lwz r31,28(r1)
8001439c addi r1,r1,32 addi r1,r1,32
800143a0 blr blr
Code Similarity (70 images)
c2600-a3jk8s-mz.122-28c c2600-a3jk8s-mz.122-29b c2600-a3jk8s-mz.122-37 c2600-a3jk8s-mz.122-46 c2600-a3js-mz.122-28c c2600-a3js-mz.122-29b c2600-a3js-mz.122-37 c2600-a3js-mz.122-46
E 8001435c stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31)
80014360 li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30)
D 80014364 sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27)
80014368 mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9)
C 8001436c lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30)
B 80014370
80014374
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
A 80014378
8001437c
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
9 80014380
80014384
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
8 80014388
8001438c
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
7 80014390
80014394
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
6 80014398 lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1)
8001439c addi r1,r1,32 addi r1,r1,32 addi r1,r1,32 addi r1,r1,32
5 800143a0 blr blr blr blr
Identical Features!
Code Similarity Results
E Count Percent Address Type
D
C
B 1597 100% - Cisco 2600 IOS 12.1 – 12.4
A with all possible feature sets
9
8 326 20.4% 80009534 Arbitrary memory write
7
6
5 249 15.6% 80040990 Fixed memory write
4
3
2 224 14.0% 80014360 Arbitrary memory write
1
0
223 13.9% 80040984 Fixed memory write
fx@recurity-labs.com