There are some stack overflow vulnerability in cisco IOS system like CVE-2017-6736 and CVE-2018-0171，but there are little exp or analysis for those vulnerability .So it’s hard to develop a rop chain. Recently I develop a CVE-2017-6736 exp for c2600, I want to record the analysis for this.
Firstly, we can enable the cisco debug output using
debug all command, when we connect the 23 port with telnet, we can see the string
AAA/LOCAL: exec, follow the string, we can find the function process aaa auth like this:
After some debug, I find that when the call of
p_ptr return 1, we can get lv1 shell directly. So the first step for rop is overwrite the
p_ptr to a gadget which return 1. Like this:
.text:80008210 loc_80008210: # CODE XREF: sub_8000819C+24↑j .text:80008210 li r3, 1 .text:80008214 blr
Notice: the end of the gadget must be blr , becase the call of powerpc always be
bctrl, which set the lr register, so we must choose the instruction that jmp to the lr register.
After get lv1 shell, we must get lv15 privilege to control the switch. I notice that when I use
enable command and input the wrong password, it will print
Bad secrets. So I find the xrefs for it. After some debug ,I find some interesting things:
wtf_flag is 0, and the function pointer
off_8234AC7C return 1 , the function can returns 1 then we can get lv15 shell. Then I overwrite those memory and success get the lv15 shell.
But there are some tricks for ppc rop develop. Firstly, CVE-2017-6736 can’t overflow much byte, so we can’t overwrite those memory with only one time. After overwrite one address , we must ensure that the snmp server run normally. A good way for this is return to the snmp thread function, it’s easy to find:
For gadget choose, there must be the instruction which get return address from stack and set the lr register like this:
.text:805CF304 stw r4, 0(r3) .text:805CF308 li r3, 1 .text:805CF30C .text:805CF30C loc_805CF30C: # CODE XREF: sub_805CF2C4+3C↑j .text:805CF30C lwz r0, 12(r1) .text:805CF310 mtlr r0 .text:805CF314 addi r1, r1, 8 .text:805CF318 blr
the gadget store the r4 register to [r3], and get the return address from 12(r1)( the r1 register is the stack pointer ).
others like this,is useless for rop development:
.text:817D235C lwz r9, 8(r1) .text:817D2360 lwz r0, 0x10(r1) .text:817D2364 stw r0, 0x34(r9) .text:817D2368 addi r1, r1, 0x18 .text:817D236C blr
It seems like complete address in one gadget, but we can’t control the lr register , so it while be a endless loop or crash.