Cisco L3 & L2 IOU on Fedora Linux [Hacked]

Posted by Ahsan Tasneem | 1:30 AM | , , | 0 comments »

Note: This is for educational purpose only.

These steps are based on tutorial "Defeating Cisco IOU’s License Protection" and are adapted for Fedora Linux. After the video from you-tube was deleted the creator of video made the "patch" which you can check here.

Please, consider using IOU – it is meant for internal use only thus it is probably illegal to use in case you are not Cisco employee or partner. For further information about licensing, please visit this site. http://evilrouters.net/2011/01/18/cisco-iou-faq/

1. Download bbe – hex editor

wget http://sourceforge.net/projects/bbe-/files/bbe/0.1.8/bbe-0.1.8-2.i386.rpm/download

2. Install rpm package

sudo rpm -ihv ./bbe-0.1.8-2.i386.rpm

3. Install openssl-devel packages and create symbolic link

The shared library libcrypto.so4 must presented either in /usr/lib/ or in /lib/. It is provided by openssl-devel package.

sudo yum install openssl-devel

Now check the list of shared libcrypto libraries presented in your system.

ls -l /usr/lib/libcrypto*

lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib/libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib/libcrypto.so.1.0.0d


ls -l /lib/libcrypto*

lrwxrwxrwx. 1 root root 19 Jul 9 20:24 /lib/libcrypto.so.10 -> libcrypto.so.1.0.0d
-rwxr-xr-x. 1 root root 1589068 Feb 10 2011 /lib/libcrypto.so.1.0.0d


There is only one shared libcrypto library – /lib/libcrypto.so.1.0.0d presented. All other files are symbolic links pointing to the library.

Now create a symbolic link and check the list again:

sudo ln -s /lib/libcrypto.so.1.0.0d /usr/lib/libcrypto.so.4

ls -l /usr/lib/libcrypto*

lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 24 Jul 18 23:21 /usr/lib/libcrypto.so.4 -> /lib/libcrypto.so.1.0.0d


4. Create a license file

echo -e "[license]\n$(uname -n) = 0000000000000000" > iourc

5. Create NETMAP file

touch ./NETMAP

6. Hack L3 IOU image

for F in i86bi_linux-*;do bbe -b "/\xfc\xff\x83\xc4\x0c\x85\xc0\x75\x14\x8b/:10" -e "r 7 \x90\x90" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linux-*

7. Hack L2 IOU image

for F in i86bi_linuxl2*;do bbe -b "/\xa1\xff\x83\xc4\x0c\x85\xc0\x75\x17\x8b/:10" -e "r 7 \x74" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linuxl2*

Parameter r 7 replaces bytes starting at position 7 – string 75, with string 74 (counts from zero), in the block of ten bytes – a1 ff 83 c4 0c 85 c0 75 17 8b.

8. Redirect data to localhost

When IOU image is started, IOU image sends data to xml.cisco.com. You need to make "fake" DNS entry for xml.cisco.com to avoid this behaviour.

echo "127.0.0.1 xml.cisco.com" >> /etc/hosts

9. Run IOU image

./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 200

2222 – TCP port on which is wrapper listening 200 – application ID

In this case, none of the group of the interfaces are specified. They are two group of Ethernet interfaces created in IOU image by default. Each group always consists from four interfaces . The same is true for Serial interfaces.

File nvram_00200 is created and consists of saved configuration.

Examples:

a)

./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 1 -s 1 200

-e 1 Ethernet0/0, Ethernet0/1, Ethernet0/2, Ethernet0/3

-s 1 Serial1/0, Serial1/1, Serial1/2, Serial1/3

b)

./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 0 -s 0 200

In this example no interface is created for IOU image.

10. Telnet to IOU image

telnet localhost 2222

Hit key enter.

11. Stopping wrapper

Ctrl-C or if wrapper is running on the background kill the process.

ps -aux | grep wrapper-linux | grep 200 | kill `echo $(cut -d " " -f2)`



Links:
http://brezular.wordpress.com

0 comments

Related Posts Plugin for WordPress, Blogger...