云南龙网

  1. 首页 > 云知道 > >

技术共享——CiscoIOS进程调试

云知道


Ciscox notes (Anthony C. Zboralski Gaius)
Research is being done on a useless Cisco 1600 with 4 megs of flash running IOS 11.1.
Recently after writting my first cisco warez (tunnelx), I told myself hey we need to find a way to inject arbitrary code, poke and peek at the memory
on a cisco, hide interfaces, route-maps, Access-lists.
Let"s look around:
scep#show proc
CPU utilization for five seconds: 10%/4%; one minute: 14%; five minutes: 14%
PID QTyPC Runtime (ms)InvokeduSecsStacks TTY Process
1 M* 0 124810711663 2204/40001 Virtual Exec
2 Lst 802DF1634668313 110760 1760/20000 Check heaps
3 Cwe 801D5DE0 10 1736/20000 Pool Manager
4 Mst 8058B200 20 1708/20000 Timers
5 Lwe 80BFD4A24 46 521 1448/20000 ARP Input
6 Mwe 81F78F04 14000 1744/20000 SERIAL A"detect
7 Lwe 80D935A4 14000 1656/20000 Probe Input
8 Mwe 80D8CD60 10 1744/20000 RARP Input
9 Hwe 80CA96680 89 898 3116/40000 IP Input
10 Mwe 80F41BA16322 49 1348/20000 TCP Timer
11 Lwe 80F5EB88 32666 3244/40000 TCP Protocols
12 Mwe 813785E80177 451 1588/20000 CDP Protocol
13 Mwe 80D57700 10 1620/20000 BOOTP Server
14 Mwe 81112C0 13561522 890 1592/20000 IP Background
15 Lsi 81212980 250 1792/20000 IP Cache Ager
16 Cwe 80237BE0 10 1748/20000 Critical Bkgnd
17 Mwe 802365A12 52400 1476/20000 Net Background
18 Lwe 804E82E16 44000 1192/20000 Logger
19 Msp 80456DE801493 53 1728/20000 TTY Background
20 Msp 802345C201494 13 1800/20000 Per-Second Jobs
21 Msp 80233F2681494 45 1488/20000 Net Periodic
22 Hwe 80234DC4 14000 1724/20000 Net Input
23 Msp 8023482 772 2530880 1800/20000 Per-minute Jobs
24 Lwe 81098344 22000 3620/40000 IP SNMP
25 Mwe 815CE080 10 1712/20000 SNMP Traps
26 ME811805A0 260 1892/20000 IP-RT Background
27 ME803B0F832 112909 2760/40002 Virtual Exec
now you can even dump the memory with "show memory". Good but there isn"t a write memory command, too bad. Maybe not...
I started looking for undocumented and hidden commands and found quite a bunch of them.
Among all the stupid hidden command, the best candidate for taking full control of the cisco is "gdb".
The IOS gdb command offers three subcommands:
gdb
debugPID
examine PID
kernel
the kernel subcommand works only on the console.
However "examine" and "debug" works perfectly; the debug subcommand is a bit tricky to use though.
scep#gdb debug 27
oops..
Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.
mkdir m68k-cisco
../configure --target m68k-cisco
make
if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.
now type make install and you should have a m68-cisco-gdb binary in your path.
fire# m68k-cisco-gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-Linux-gnu --target=m68k-cisco".
(cisco-68k-gdb)
my cisco 1600 is connected to /dev/ttyS0,
scep>en
PassWord:
scep#gdb debug 18
scep#
As you can see it bails out if you hit return. while examine works it seems.
scep#gdb examine 18
now the console seems locked.
go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
added.
IOS gdbserver implementation
Don"t get too excited, IOS gdbserver supports only a limited subset of those commands. I"ll grab a binary of IOS 12 and check if new commands were added.

推荐阅读


上一篇:怎样解绑手机与美篇

下一篇:风油精能不能过安检