科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网安全频道技术共享——CiscoIOS进程调试

技术共享——CiscoIOS进程调试

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

技术共享——CiscoIOS进程调试

作者:巧巧读书 来源:巧巧读书 2008年8月21日

关键字: CiscoIOS 进程 系统进程 进程管理

  • 评论
  • 分享微博
  • 分享邮件

  Ciscox notes (Anthony C. Zboralski Gaius)

  Research is being done on a useless Cisco 1600 with 4 megs of flashrunning IOS 11.1.

  Recently after writting my first cisco warez (tunnelx), I told myself hey we need to find a way to inject arbitrary code, poke and peek at the memory

  on a cisco, hide interfaces, route-maps, access-lists.

  Let's look around:

  scep#show proc

  CPUutilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%

  PID QTy    PC Runtime (ms)  Invoked  uSecs  Stacks TTY Process

  1 M*     0     1248    107  11663 2204/4000  1 Virtual Exec

  2 Lst 802DF16    34668    313 110760 1760/2000  0 Check heaps

  3 Cwe 801D5DE      0     1    0 1736/2000  0 Pool Manager

  4 Mst 8058B20      0     2    0 1708/2000  0 Timers

  5 Lwe 80BFD4A      24     46   521 1448/2000  0 ARPInput

  6 Mwe 81F78F0      4     1  4000 1744/2000  0 SERIAL A'detect

  7 Lwe 80D935A      4     1  4000 1656/2000  0 Probe Input

  8 Mwe 80D8CD6      0     1    0 1744/2000  0 RARP Input

  9 Hwe 80CA966      80     89   898 3116/4000  0 IP Input

  10 Mwe 80F41BA      16    322   49 1348/2000  0 TCP Timer

  11 Lwe 80F5EB8      8     3  2666 3244/4000  0 TCP Protocols

  12 Mwe 813785E      80    177   451 1588/2000  0 CDP Protocol

  13 Mwe 80D5770      0     1    0 1620/2000  0 BOOTP Server

  14 Mwe 81112C0     1356    1522   890 1592/2000  0 IP Background

  15 Lsi 8121298      0     25    0 1792/2000  0 IP Cache Ager

  16 Cwe 80237BE      0     1    0 1748/2000  0 Critical Bkgnd

  17 Mwe 802365A      12     5  2400 1476/2000  0 Net Background

  18 Lwe 804E82E      16     4  4000 1192/2000  0 Logger

  19 Msp 80456DE      80    1493   53 1728/2000  0 TTY Background

  20 Msp 802345C      20    1494   13 1800/2000  0 Per-Second Jobs

  21 Msp 80233F2      68    1494   45 1488/2000  0 Net Periodic

  22 Hwe 80234DC      4     1  4000 1724/2000  0 Net Input

  23 Msp 8023482     772     25  30880 1800/2000  0 Per-minute Jobs

  24 Lwe 8109834      4     2  2000 3620/4000  0 IP SNMP

  25 Mwe 815CE08      0     1    0 1712/2000  0 SNMP Traps

  26 ME  811805A      0     26    0 1892/2000  0 IP-RT Background

  27 ME  803B0F8      32     11  2909 2760/4000  2 Virtual Exec

  now you can even dump the memory with 'show memory'. Good but there isn't a write memory command, too bad. Maybe not...

  I started looking for undocumented and hidden commands and found quite a bunch of them.

  Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.

  The IOS gdb command offers three subcommands:

  gdb

  debug  PID

  examine PID

  kernel

  the kernel subcommand works only on the console.

  However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.

  scep#gdb debug 27

  ||||

  oops..

  Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.

  mkdir m68k-cisco

  ../configure --target m68k-cisco

  make

  if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.

  now type make install and you should have a m68-cisco-gdb binary in your path.

  fire# m68k-cisco-gdb

  GNU gdb 4.18

  Copyright 1998 Free Software Foundation, Inc.

  GDB is free software, covered by the GNU General Public License, and you are

  welcome to change it and/or distribute copies of it under certain conditions.

  Type "show copying" to see the conditions.

  There is absolutely no warranty for GDB. Type "show warranty" for details.

  This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".

  (cisco-68k-gdb)

  my cisco 1600 is connected to /dev/ttyS0,

  scep>en

  Password:

  scep#gdb debug 18

  scep#

  As you can see it bails out if you hit return. while examine works it seems.

  scep#gdb examine 18

  ||||

  now the console seems locked.

  go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.

  added.

  IOS gdbserver implementation

  Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.

  I didn't have to test every command by hand.. let's just say I have reliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:

  Request    Packet

  read registers  g

  write regs    GXX..XX    Each byte of register data

  is described by two hex digits.

  Registers are in the internal order

  for GDB, and the bytes in a register

  are in the same order the machine uses.

  read mem    mAA..AA,LLLL  AA..AA is address, LLLL is length.

  write mem    MAA..AA,LLLL:XX..XX

  AA..AA is address,

  LLLL is number of bytes,

  XX..XX is data

  continue    cAA.AA    AA..AA is address to resume

  IF AA..AA is omitted

  resume at same address.

  step      sAA..AA    AA..AA is address to resume

  If AA..AA is omitted,

  resume at same address.

  kill request    k

  last signal    ?    Reply the current reason for stopping.

  This is the same reply as is generated

  for step or cont : SAA where AA is the

  signal number.

  toggle debug    d    toggle debug flag (see 386 &68k stubs)

  All other commands will be ignored... too bad 'search' isn't implemented.

  The protocol is simple, quoting remote.c comments:

  A debug packet whose contents are <data> is encapsulated for transmission in the form.

  $ <data> # CSUM1 CSUM2

  <data>must be ASCII alphanumeric and cannot include characters

  '$' or '#'. If <data> starts with two characters followed by

  ':', then the existing stubs interpret this as a sequence number.

  CSUM1 and CSUM2 are ascii hex representation of an 8-bit checksum of <data>, the most significant nibble is sent first.

  the hex digits 0-9,a-f are used.

  Before trying to make gdb work i wrote a little program that computed the right checksum:

  #include <stdio.h>

  unsigned char const hexchars[] = "0123456789abcdef";

  char tohexchar (unsigned char c)

  {

  c &= 0x0f;

  return(hexchars[c]);

  }

  int main(int argc, char **argv)

  {

  unsigned char checksum;

  int count;

  char *command;

  char ch;

  if (argc <= 1)

  exit(1);

  printf("gdb protocol command: ");

  command = argv[1];

  putchar ('$');

  checksum = count = 0;

  while ((ch = command[count]))

  {

  putchar(ch);

  checksum += ch;

  count++;

  }

  putchar('#');

  putchar(tohexchar(checksum >> 4));

  putchar(tohexchar(checksum));

  putchar(' ');

  }

  ./gdbproto g

  gdb protocol command: $g#67

  now paste that on the |||| prompt and you get register output:

  scep

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章