Cisco IOS进程调试

Ciscox notes (Anthony C. Zboralski Gaius)

Research is being done on a useless Cisco 1600 with 4 megs of flash running IOS 11.1.

Recently after writting my first cisco warez (tunnelx), I told myself hey we need to find a way to inject arbitrary code, poke and peek at the memory
on a cisco, hide interfaces, route-maps, access-lists.

Let's look around:

scep#show proc
CPU utilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 M* 0 1248 107 11663 2204/4000 1 Virtual Exec
2 Lst 802DF16 34668 313 110760 1760/2000 0 Check heaps
3 Cwe 801D5DE 0 1 0 1736/2000 0 Pool Manager
4 Mst 8058B20 0 2 0 1708/2000 0 Timers
5 Lwe 80BFD4A 24 46 521 1448/2000 0 ARP Input
6 Mwe 81F78F0 4 1 4000 1744/2000 0 SERIAL A'detect
7 Lwe 80D935A 4 1 4000 1656/2000 0 Probe Input
8 Mwe 80D8CD6 0 1 0 1744/2000 0 RARP Input
9 Hwe 80CA966 80 89 898 3116/4000 0 IP Input
10 Mwe 80F41BA 16 322 49 1348/2000 0 TCP Timer
11 Lwe 80F5EB8 8 3 2666 3244/4000 0 TCP Protocols
12 Mwe 813785E 80 177 451 1588/2000 0 CDP Protocol
13 Mwe 80D5770 0 1 0 1620/2000 0 BOOTP Server
14 Mwe 81112C0 1356 1522 890 1592/2000 0 IP Background
15 Lsi 8121298 0 25 0 1792/2000 0 IP Cache Ager
16 Cwe 80237BE 0 1 0 1748/2000 0 Critical Bkgnd
17 Mwe 802365A 12 5 2400 1476/2000 0 Net Background
18 Lwe 804E82E 16 4 4000 1192/2000 0 Logger
19 Msp 80456DE 80 1493 53 1728/2000 0 TTY Background
20 Msp 802345C 20 1494 13 1800/2000 0 Per-Second Jobs
21 Msp 80233F2 68 1494 45 1488/2000 0 Net Periodic
22 Hwe 80234DC 4 1 4000 1724/2000 0 Net Input
23 Msp 8023482 772 25 30880 1800/2000 0 Per-minute Jobs
24 Lwe 8109834 4 2 2000 3620/4000 0 IP SNMP
25 Mwe 815CE08 0 1 0 1712/2000 0 SNMP Traps
26 ME 811805A 0 26 0 1892/2000 0 IP-RT Background
27 ME 803B0F8 32 11 2909 2760/4000 2 Virtual Exec

now you can even dump the memory with 'show memory'. Good but there isn't a write memory command, too bad. Maybe not...

I started looking for undocumented and hidden commands and found quite a bunch of them.

Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.

The IOS gdb command offers three subcommands:

gdb
debug PID
examine PID
kernel

the kernel subcommand works only on the console.
However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.

scep#gdb debug 27
||||

oops..

Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.
mkdir m68k-cisco
../configure --target m68k-cisco
make

if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.

now type make install and you should have a m68-cisco-gdb binary in your path.

fire# m68k-cisco-gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".
(cisco-68k-gdb)

my cisco 1600 is connected to /dev/ttyS0,
scep>en
Password:
scep#gdb debug 18

scep#

As you can see it bails out if you hit return. while examine works it seems.

scep#gdb examine 18
||||

now the console seems locked.
go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
added.

IOS gdbserver implementation
Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有