Hey Andy, For sure the shellcodes can be used in a local attack, but I want to see you using a connect back shellcode locally in an IOS system ;) that´s why I said explicitly remote.
cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Andy Davis <[EMAIL PROTECTED]> Para: Rodrigo Rubira Branco BSDaemon <[EMAIL PROTECTED]>, [email protected] <[email protected]> Assunto: RE: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Data: 10/10/07 09:58 > > It doesn't even need to be a remote vulnerability - all three techniques > could be used to perform privilege escalation attacks against local > vulnerabilities within IOS. > > Andy > > -----Original Message----- > From: Rodrigo Rubira Branco (BSDaemon) > [mailto:[EMAIL PROTECTED] > Sent: 10 October 2007 10:46 > To: Gaus; "[email protected]"@fjaunet.com.br; Andy Davis > Subject: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS > Exploitation Techniques > > Also if you have any vulnerability (remote) that can lead to code > execution, > right? > > > cya, > > > Rodrigo (BSDaemon). > > -- > http://www.kernelhacking.com/rodrigo > > Kernel Hacking: If i really know, i can hack > > GPG KeyID: 1FCEDEA1 > > > --------- Mensagem Original -------- > De: Gaus <[EMAIL PROTECTED]> > Para: [email protected] > <[email protected]>, > Andy Davis <[EMAIL PROTECTED]> > Assunto: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS > Exploitation Techniques > Data: 10/10/07 09:18 > > > Hello, > > > > This is response from Cisco PSIRT related to this matter. > > > > On Wed, Oct 10, 2007 at 10:55:54AM +0100, Andy Davis wrote: > > &gt; During the research, three shellcode payloads for IOS exploits > were > > &gt; developed - a &quot;reverse&quot; shell, a password-protected > &quot;bind&quot; shell and > > &gt; another &quot;bind&quot; shell that is achieved using only two > 1-byte > memory > > &gt; overwrites. IRM have produced videos demonstrating each of these > > &gt; payloads in action within a development environment. They can be > viewed > > > > > > Cisco PSIRT is aware of the three videos IRM Plc. published on their > > web site at > &lt;http://www.irmplc.com/index.php/153-Embedded-Systems-Security&gt;. > > > > Cisco and IRM agree that the videos do not demonstrate or represent a > > vulnerability in Cisco IOS. Specifically, the code to manipulate > > Cisco IOS could be inserted only under the following conditions: > > > > - Usage of the debugger functionality present in IOS > > > > - Having physical access to the device > > > > - Already logged in at the highest privilege level on the device. > > > > IRM approached Cisco PSIRT with this information prior to its public > > release and Cisco has confirmed the information provided is a > > proof-of-concept that third party code could be inserted under these > > specific conditions. > > > > Regards, > > > > Gaus > > > > Damir Rajnovic &lt;[EMAIL PROTECTED]&gt;, PSIRT Incident Manager, Cisco > Systems > > &lt;http://www.cisco.com/go/psirt&gt; Telephone: +44 7715 546 033 > > 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB > > There are no insolvable problems. > > The question is can you accept the solution? > > > > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ________________________________________________ > Message sent using UebiMiau 2.7.2 > > > > > > ________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
