Ciscox notes (Anthony C. Zboralski Gaius)

Research is being done on a useless Cisco 1600 with 4 megs of flash running IOS 11.1.

Recently after writting my first cisco warez (tunnelx), I told myse language=javascript src="/CMS/JS/newsad.js"> lf hey we need to find a way to inject arbitrary code, poke and peek at the memory
on a cisco, hide interfaces, route-maps, access-lists.

Let's look around:

scep#show proc
CPU utilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%
PID QTy       PC Runtime (ms)    Invoked   uSecs    Stacks TTY Process
   1 M*         0         1248        107   11663 2204/4000   1 Virtual Exec   
   2 Lst  802DF16        34668        313  110760 1760/2000   0 Check heaps    
   3 Cwe  801D5DE            0          1       0 1736/2000   0 Pool Manager   
   4 Mst  8058B20            0          2       0 1708/2000   0 Timers         
   5 Lwe  80BFD4A           24         46     521 1448/2000   0 ARP Input      
   6 Mwe  81F78F0            4          1    4000 1744/2000   0 SERIAL A'detect
   7 Lwe  80D935A            4          1    4000 1656/2000   0 Probe Input    
   8 Mwe  80D8CD6            0          1       0 1744/2000   0 RARP Input     
   9 Hwe  80CA966           80         89     898 3116/4000   0 IP Input       
  10 Mwe  80F41BA           16        322      49 1348/2000   0 TCP Timer      
  11 Lwe  80F5EB8            8          3    2666 3244/4000   0 TCP Protocols  
  12 Mwe  813785E           80        177     451 1588/2000   0 CDP Protocol   
  13 Mwe  80D5770            0          1       0 1620/2000   0 BOOTP Server   
  14 Mwe  81112C0         1356       1522     890 1592/2000   0 IP Background  
  15 Lsi  8121298            0         25       0 1792/2000   0 IP Cache Ager  
  16 Cwe  80237BE            0          1       0 1748/2000   0 Critical Bkgnd 
  17 Mwe  802365A           12          5    2400 1476/2000   0 Net Background 
  18 Lwe  804E82E           16          4    4000 1192/2000   0 Logger         
  19 Msp  80456DE           80       1493      53 1728/2000   0 TTY Background 
  20 Msp  802345C           20       1494      13 1800/2000   0 Per-Second Jobs
  21 Msp  80233F2           68       1494      45 1488/2000   0 Net Periodic   
  22 Hwe  80234DC            4          1    4000 1724/2000   0 Net Input      
  23 Msp  8023482          772         25   30880 1800/2000   0 Per-minute Jobs
  24 Lwe  8109834            4          2    2000 3620/4000   0 IP SNMP        
  25 Mwe  815CE08            0          1       0 1712/2000   0 SNMP Traps     
  26 ME   811805A            0         26       0 1892/2000   0 IP-RT Background
  27 ME   803B0F8           32         11    2909 2760/4000   2 Virtual Exec   

now you can even dump the memory with 'show memory'. Good but there isn't a write memory command, too bad. Maybe not...

I started looking for undocumented and hidden commands and found quite a bunch of them.

Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.

The IOS gdb command offers three subcommands:

gdb
  debug   PID
  examine PID
  kernel

the kernel subcommand works only on the console.
However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.

scep#gdb debug 27
||||

oops..

Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.
mkdir m68k-cisco
../configure --target m68k-cisco
make

if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.

now type make install and you should have a m68-cisco-gdb binary in your path.

fire# m68k-cisco-gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".
(cisco-68k-gdb)

my cisco 1600 is connected to /dev/ttyS0,
scep>en                                                                        
Password:                                                                      
scep#gdb debug 18                                                              
                                                                               
scep#

As you can see it bails out if you hit return. while examine works it seems.

scep#gdb examine 18                                                            
||||

now the console seems locked.
go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
added.

IOS gdbserver implementation
Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.
I didn't have to test every command by hand.. let's just say I have  reliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:

  Request        Packet

  read registers    g
  write regs        GXX..XX        Each byte of register data
                    is described by two hex digits.
                    Registers are in the internal order
                    for GDB, and the bytes in a register
                    are in the same order the machine uses.
  read mem        mAA..AA,LLLL    AA..AA is address, LLLL is length.
  write mem        MAA..AA,LLLL:XX..XX
                    AA..AA is address,
                    LLLL is number of bytes,
                    XX..XX is data
  continue        cAA.AA        AA..AA is address to resume
                    IF AA..AA is omitted
                    resume at same address.
  step            sAA..AA        AA..AA is address to resume
                    If AA..AA is omitted,
                    resume at same address.

  kill request        k
  last signal        ?        Reply the current reason for stopping.
                    This is the same reply as is generated
                    for step or cont : SAA where AA is the
                    signal number.
  toggle debug        d        toggle debug flag (see 386 & 68k stubs)

All other commands will be ignored... too bad 'search' isn't implemented.