Didier Stevens

Cisco Tricks

Here’s a trick to force a Cisco router to create a crashinfo file. Do this on a lab router, and make sure you’ve saved your config and connect with the serial console.

There is a hidden IOS command to simulate a crash (test crash), but we will cause a real crash by corrupting the heap.

Make sure you can break into ROMMON while IOS is running, by properly setting the config register. Mine is 0×2002 on my test router.

Let’s view the blocks on the heap:

router#show memory processor 

          Processor memory

 Address      Bytes     Prev     Next Ref     PrevF    NextF Alloc PC  what
856C9360 0001044696 00000000 857C8468 000  0        884BA104 8267F20C  *Init*
857C8468 0000020004 856C9360 857CD2BC 001  -------- -------- 8002067C  Managed Chunk Queue Elements
...

Break into ROMMON.

router#        

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x88159248

PC = 0x80224cd4, Vector = 0x500, SP = 0x8804fd34

rommon 1 >

Issue the priv command. Most likely you’ll be asked a password, you can calculate this from the cookie (use Google to find a howto).

rommon 4 > priv
Password:
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 5 >

Dump the header of the first heap block (get the address from the result of show memory processor):

rommon 5 > dump 856C9360 40
856c9360  ab12 34cd fffe 0000 0000 0000 8432 11a0 ..4..........2..
856c9370  8267 f20c 857c 8468 84fc e6d0 0007 f86c .g...|.h.......l
856c9380  0000 0000 8267 f240 0000 0001 8801 89b8 .....g.@........
856c9390  dead beef 8267 f240 0000 0000 0d0d 0d0d .....g.@........

Magic number AB1234CD indicates the start of the header. We will overwrite this value, this will cause a crash when the memory corruption check process detects an invalid header.

rommon 6 > alter 856C9360
856c9360 = ab12 > 0
856c9362 = 34cd > q
rommon 7 > dump 856C9360 40
856c9360  0000 34cd fffe 0000 0000 0000 8432 11a0 ..4..........2..
856c9370  8267 f20c 857c 8468 84fc e6d0 0007 f86c .g...|.h.......l
856c9380  0000 0000 8267 f240 0000 0001 8801 89b8 .....g.@........
856c9390  dead beef 8267 f240 0000 0000 0d0d 0d0d .....g.@........

Then we return to IOS and wait for the memory corruption check process to do its work:

rommon 9 > cont

router#

I believe this process runs every minute, so have a bit of patience and soon you’ll see the crash happening:

validblock_diagnose, code = 2

current memory block, bp = 0x856C9360,
memorypool type is Processor
data check, ptr = 0x856C9390

next memory block, bp = 0x857C8468,
memorypool type is Processor
data check, ptr = 0x857C8498
bp_prev(0x00000000) not in any mempool
========= Dump bp = 0x856C9360 ======================

856C9260:        0        0        0        0        0        0        0        0
856C9280:        0        0        0        0        0        0        0        0
856C92A0:        0        0        0        0        0        0        0        0
...

This crashinfo file is written to flash:

System flash directory:
File  Length   Name/status
  1   33148108  c2600-advipservicesk9-mz.124-15.T12.bin
  2   306441   crashinfo_20020301-043117

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 155 other followers

%d bloggers like this: