--== P H E N O E L I T ==--
               ____  _______                      _____       _______
     ____   ____  / /__  __/  __   ___ ______    /    /______/__  __/   ______
    /   /  /   / /    / / -*-/  \_/  //     /   /    /      /  / / -*- / __  /
   /   /  /   / /    / / __ / /\_// // __  /   / /\ \  __  /  / / __  / / / /
  /   /__/   / /____/ / / // /   / // / / /   / / / / / / /  / / / / / /_/ /
 /__________/______/_/ /_//_/   /_//_/ /_/   /_/ /_/_/ /_/  /_/ /_/ /_____/

  

A remote Cisco IOS exploit

[Main |Tutorial |DEF CON X Slides |Black Hat Slides |License ]

Just another exploit shown in Las Vegas 2003:
IOS 11.x remote HTTP exploit: CiscoCasumEst.tgz
IOS 11.x remote sniffer: iosniff.tgz

Just the example exploit from Las Vegas 2002:
Cisco IOS 11.1-11.3 TFTP-Server remote exploit. Uploads the config supplied in the command line to the router and restarts it. Code works unmodifed on Cisco 1600 series routers. With a little tweaking of the stack address and other stuff, it should work on the 1000 series too. Exploitation of 11.1 is a bit more complicated. Feedback appreciated.
UltimaRatioVegas.c

The Cisco VPN Concentrator DoS code is available here

Cisco IOS 11.2.x-12.0.x OSPF remote exploit is here

IOStack.pl is a script to read out IOS stack return address locations. Give it a try on your Cisco boxes.
Download the second version here: IOStack2.tgz (Old version: IOStack.tgz)