search

nccgroup / asafw

Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
BSD 3-Clause "New" or "Revised" License
96 stars 29 forks source link

change shellcode to enable debugshell without needing to disable ASLR #10

Closed cq674350529 closed 5 years ago

cq674350529 commented 5 years ago

Using relative call instead of hard-coded address, so one can enable debugshell without needing to disable ASLR. I only have tested this on devices of version asav962 and asav9101, which seems work well.

As to the newest images asav9101.qcow2, there is trouble in disabling ASLR at the moment.

Take asa924 and asav962 as examples, the diff before and after are as follows.

I don't know why the symbol becomes socks_proxy_init instead of socks_proxy_server_start. But it works well.

In addition, the jmp condition after code_sign_verify_signature_image in lina_monitor changes.

saidelike commented 5 years ago

Sorry for the delay. Thanks for this great patch with explanations, much appreciated.