Didier Stevens

Cisco Tricks

Here’s a trick to force a Cisco router to create a crashinfo file. Do this on a lab router, and make sure you’ve saved your config and connect with the serial console.

There is a hidden IOS command to simulate a crash (test crash), but we will cause a real crash by corrupting the heap.

Make sure you can break into ROMMON while IOS is running, by properly setting the config register. Mine is 0x2002 on my test router.

Let’s view the blocks on the heap:

router#show memory processor 

          Processor memory

 Address      Bytes     Prev     Next Ref     PrevF    NextF Alloc PC  what
856C9360 0001044696 00000000 857C8468 000  0        884BA104 8267F20C  *Init*
857C8468 0000020004 856C9360 857CD2BC 001  -------- -------- 8002067C  Managed Chunk Queue Elements
...

Break into ROMMON.

router#        

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x88159248

PC = 0x80224cd4, Vector = 0x500, SP = 0x8804fd34

rommon 1 >

Issue the priv command. Most likely you’ll be asked a password, you can calculate this from the cookie (use Google to find a howto).

rommon 4 > priv
Password:
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 5 >

Dump the header of the first heap block (get the address from the result of show memory processor):

rommon 5 > dump 856C9360 40
856c9360  ab12 34cd fffe 0000 0000 0000 8432 11a0 ..4..........2..
856c9370  8267 f20c 857c 8468 84fc e6d0 0007 f86c .g...|.h.......l
856c9380  0000 0000 8267 f240 0000 0001 8801 89b8 .....g.@........
856c9390  dead beef 8267 f240 0000 0000 0d0d 0d0d .....g.@........

Magic number AB1234CD indicates the start of the header. We will overwrite this value, this will cause a crash when the memory corruption check process detects an invalid header.

rommon 6 > alter 856C9360
856c9360 = ab12 > 0
856c9362 = 34cd > q
rommon 7 > dump 856C9360 40
856c9360  0000 34cd fffe 0000 0000 0000 8432 11a0 ..4..........2..
856c9370  8267 f20c 857c 8468 84fc e6d0 0007 f86c .g...|.h.......l
856c9380  0000 0000 8267 f240 0000 0001 8801 89b8 .....g.@........
856c9390  dead beef 8267 f240 0000 0000 0d0d 0d0d .....g.@........

Then we return to IOS and wait for the memory corruption check process to do its work:

rommon 9 > cont

router#

I believe this process runs every minute, so have a bit of patience and soon you’ll see the crash happening:

validblock_diagnose, code = 2

current memory block, bp = 0x856C9360,
memorypool type is Processor
data check, ptr = 0x856C9390

next memory block, bp = 0x857C8468,
memorypool type is Processor
data check, ptr = 0x857C8498
bp_prev(0x00000000) not in any mempool
========= Dump bp = 0x856C9360 ======================

856C9260:        0        0        0        0        0        0        0        0
856C9280:        0        0        0        0        0        0        0        0
856C92A0:        0        0        0        0        0        0        0        0
...

This crashinfo file is written to flash:

System flash directory:
File  Length   Name/status
  1   33148108  c2600-advipservicesk9-mz.124-15.T12.bin
  2   306441   crashinfo_20020301-043117

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.