Yes it does. However, if ACLs have been applied to all available VTY lines on the router then a third memory overwrite is required to remove the ACL on the VTY line to which you'd like to connect - this is straightforward to do. Andy ________________________________________ From: Abuse 007 [mailto:abuse007@xxxxxxxxx] Sent: 16 October 2007 16:37 To: Andy Davis Cc: Halvar Flake; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Hi Andy, What if the VTY has a password on it, in addition to an ACL and the privilige level? Does the tiny-shell exploit also overcome this obstacle? Cheers. On 10/11/07, Andy Davis <andy.davis@xxxxxxxxxx> wrote: Halvar, The primary objective of the research was to understand how to create a remote high privilege shell on IOS (as Michael Lynn demonstrated at BlackHat 2005) - this was achieved and in the process, we discovered three ways of doing it. Because we had worked out how to use gdb with IOS, the easiest way for us to develop the shellcode was by using gdb to upload the code to some spare IOS memory and hook into an IOS process that was already running to execute it. The secondary objective was making the shellcode as compact as possible, with the minimal number of hard-coded function addresses as possible (due to the monolithic nature of IOS - every version will have these functions at slightly different addresses). During this process we discovered the "tiny shell" technique (demonstrated in one of the videos) - all that is required to gain a remote shell on IOS (that has at least one VTY enabled) is two 1-byte memory overwrites. The first byte modification removes access control to the VTY and the second privilege escalates to Level 15. Personally I think these techniques are pretty cool we're really pleased with the results of the research - I think it may be clearer to everyone when we release the higher resolution videos that are easier to watch. Cheers, Andy -----Original Message----- From: Halvar Flake [mailto: halvar.flake@xxxxxxxxxxxxxxxxxx] Sent: 12 October 2007 07:32 To: Andy Davis; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Hey Andy, thanks. So the core of IRMs work is "ways of getting a Cisco shell over the network with a small/minimal number of hardcoded addresses" ? Cheers, Halvar
