分享
 
 
 

技术共享——CiscoIOS进程调试

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Ciscox notes (Anthony C. Zboralski Gaius)

Research is being done on a useless Cisco 1600 with 4 megs of flash running IOS 11.1.

Recently after writting my first cisco warez (tunnelx), I told myself hey we need to find a way to inject arbitrary code, poke and peek at the memory

on a cisco, hide interfaces, route-maps, Access-lists.

Let's look around:

scep#show proc

CPU utilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%

PID QTy PC Runtime (ms)Invoked uSecsStacks TTY Process

1 M* 0 1248107 11663 2204/4000 1 Virtual Exec

2 Lst802DF1634668313110760 1760/2000 0 Check heaps

3 Cwe801D5DE01 0 1736/2000 0 Pool Manager

4 Mst8058B2002 0 1708/2000 0 Timers

5 Lwe80BFD4A 24 46 521 1448/2000 0 ARP Input

6 Mwe81F78F0414000 1744/2000 0 SERIAL A'detect

7 Lwe80D935A414000 1656/2000 0 Probe Input

8 Mwe80D8CD601 0 1744/2000 0 RARP Input

9 Hwe80CA966 80 89 898 3116/4000 0 IP Input

10 Mwe80F41BA 1632249 1348/2000 0 TCP Timer

11 Lwe80F5EB8832666 3244/4000 0 TCP Protocols

12 Mwe813785E 80177 451 1588/2000 0 CDP Protocol

13 Mwe80D577001 0 1620/2000 0 BOOTP Server

14 Mwe81112C0 1356 1522 890 1592/2000 0 IP Background

15 Lsi81212980 25 0 1792/2000 0 IP Cache Ager

16 Cwe80237BE01 0 1748/2000 0 Critical Bkgnd

17 Mwe802365A 1252400 1476/2000 0 Net Background

18 Lwe804E82E 1644000 1192/2000 0 Logger

19 Msp80456DE 80 149353 1728/2000 0 TTY Background

20 Msp802345C 20 149413 1800/2000 0 Per-Second Jobs

21 Msp80233F2 68 149445 1488/2000 0 Net Periodic

22 Hwe80234DC414000 1724/2000 0 Net Input

23 Msp8023482772 25 30880 1800/2000 0 Per-minute Jobs

24 Lwe8109834422000 3620/4000 0 IP SNMP

25 Mwe815CE0801 0 1712/2000 0 SNMP Traps

26 ME 811805A0 26 0 1892/2000 0 IP-RT Background

27 ME 803B0F8 32 112909 2760/4000 2 Virtual Exec

now you can even dump the memory with 'show memory'. Good but there isn't a write memory command, too bad. Maybe not...

I started looking for undocumented and hidden commands and found quite a bunch of them.

Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.

The IOS gdb command offers three subcommands:

gdb

debug PID

examine PID

kernel

the kernel subcommand works only on the console.

However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.

scep#gdb debug 27

oops..

Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.

mkdir m68k-cisco

../configure --target m68k-cisco

make

if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.

now type make install and you should have a m68-cisco-gdb binary in your path.

fire# m68k-cisco-gdb

GNU gdb 4.18

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.Type "show warranty" for details.

This GDB was configured as "--host=i686-pc-Linux-gnu --target=m68k-cisco".

(cisco-68k-gdb)

my cisco 1600 is connected to /dev/ttyS0,

scepen

PassWord:

scep#gdb debug 18

scep#

As you can see it bails out if you hit return. while examine works it seems.

scep#gdb examine 18

now the console seems locked.

go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.

added.

IOS gdbserver implementation

Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.

I didn't have to test every command by hand.. let's just say I havereliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:

RequestPacket

read registersg

write regsGXX..XXEach byte of register data

is described by two hex digits.

Registers are in the internal order

for GDB, and the bytes in a register

are in the same order the machine uses.

read memmAA..AA,LLLLAA..AA is address, LLLL is length.

write memMAA..AA,LLLL:XX..XX

AA..AA is address,

LLLL is number of bytes,

XX..XX is data

continuecAA.AAAA..AA is address to resume

IF AA..AA is omitted

resume at same address.

stepsAA..AAAA..AA is address to resume

If AA..AA is omitted,

resume at same address.

kill requestk

last signal?Reply the current reason for stopping.

This is the same reply as is generated

for step or cont : SAA where AA is the

signal number.

toggle debugdtoggle debug flag (see 386 & 68k stubs)

All other commands will be ignored... too bad 'search' isn't implemented.

The protocol is simple, quoting remote.c comments:

A debug packet whose contents are <data is encapsulated for transmission in the form.

$ <data # CSUM1 CSUM2

<data must be ASCII alphanumeric and cannot include characters

'$' or '#'.If <data starts with two characters followed by

':', then the existing stubs interpret this as a sequence number.

CSUM1 and CSUM2 are ascii hex representation of an 8-bit checksum of <data, the most significant nibble is sent first.

the hex digits 0-9,a-f are used.

Before trying to make gdb work i wrote a little program that computed the right checksum:

#include <stdio.h

unsigned char const hexchars[] = "0123456789abcdef";

char tohexchar (unsigned char c)

{

c &= 0x0f;

return(hexchars[c]);

}

int main(int argc, char **argv)

{

unsigned char checksum;

int count;

char *command;

char ch;

if (argc <= 1)

exit(1);

printf("gdb protocol command: ");

command = argv[1];

putchar ('$');

checksum = count = 0;

while ((ch = command[count]))

{

putchar(ch);

checksum += ch;

count++;

}

putchar('#');

putchar(tohexchar(checksum 4));

putchar(tohexchar(checksum));

putchar(' ');

}

./gdbproto g

gdb protocol command: $g#67

now paste that on the prompt and you get register output:

scep

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有