rop development in cisco ios

There are some stack overflow vulnerability in cisco IOS system like CVE-2017-6736 and CVE-2018-0171，but there are little exp or analysis for those vulnerability .So it’s hard to develop a rop chain. Recently I develop a CVE-2017-6736 exp for c2600, I want to record the analysis for this.

Firstly, we can enable the cisco debug output using debug all command, when we connect the 23 port with telnet, we can see the string AAA/LOCAL: exec, follow the string, we can find the function process aaa auth like this:

After some debug, I find that when the call of p_ptr return 1, we can get lv1 shell directly. So the first step for rop is overwrite the p_ptr to a gadget which return 1. Like this:

.text:80008210 loc_80008210:                           # CODE XREF: sub_8000819C+24↑j
.text:80008210                 li        r3, 1
.text:80008214                 blr

Notice: the end of the gadget must be blr , becase the call of powerpc always be bctrl, which set the lr register, so we must choose the instruction that jmp to the lr register.

After get lv1 shell, we must get lv15 privilege to control the switch. I notice that when I use enable command and input the wrong password, it will print Bad secrets. So I find the xrefs for it. After some debug ,I find some interesting things:

when the wtf_flag is 0, and the function pointer

off_8234AC7C return 1 , the function can returns 1 then we can get lv15 shell. Then I overwrite those memory and success get the lv15 shell.

But there are some tricks for ppc rop develop. Firstly, CVE-2017-6736 can’t overflow much byte, so we can’t overwrite those memory with only one time. After overwrite one address , we must ensure that the snmp server run normally. A good way for this is return to the snmp thread function, it’s easy to find:

For gadget choose, there must be the instruction which get return address from stack and set the lr register like this:

.text:805CF304                 stw       r4, 0(r3)
.text:805CF308                 li        r3, 1
.text:805CF30C
.text:805CF30C loc_805CF30C:                           # CODE XREF: sub_805CF2C4+3C↑j
.text:805CF30C                 lwz       r0, 12(r1)
.text:805CF310                 mtlr      r0
.text:805CF314                 addi      r1, r1, 8
.text:805CF318                 blr

the gadget store the r4 register to [r3], and get the return address from 12(r1)( the r1 register is the stack pointer ).

others like this,is useless for rop development:

.text:817D235C                 lwz       r9, 8(r1)
.text:817D2360                 lwz       r0, 0x10(r1)
.text:817D2364                 stw       r0, 0x34(r9)
.text:817D2368                 addi      r1, r1, 0x18
.text:817D236C                 blr

It seems like complete address in one gadget, but we can’t control the lr register , so it while be a endless loop or crash.