Cisco L3 & L2 IOU on Fedora Linux [Hacked]
Posted by Ahsan Tasneem | 1:30 AM | cisco, Fedora, Linux | 0 comments »
Note: This is for educational purpose only.
These steps are based on tutorial "Defeating Cisco IOU’s License Protection" and are adapted for Fedora Linux. After the video from you-tube was deleted the creator of video made the "patch" which you can check here.
Please, consider using IOU – it is meant for internal use only thus it is probably illegal to use in case you are not Cisco employee or partner. For further information about licensing, please visit this site. http://evilrouters.net/2011/01/18/cisco-iou-faq/
1. Download bbe – hex editor
wget http://sourceforge.net/projects/bbe-/files/bbe/0.1.8/bbe-0.1.8-2.i386.rpm/download
2. Install rpm package
sudo rpm -ihv ./bbe-0.1.8-2.i386.rpm
3. Install openssl-devel packages and create symbolic link
The shared library libcrypto.so4 must presented either in /usr/lib/ or in /lib/. It is provided by openssl-devel package.
sudo yum install openssl-devel
Now check the list of shared libcrypto libraries presented in your system.
ls -l /usr/lib/libcrypto*
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib/libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib/libcrypto.so.1.0.0d
ls -l /lib/libcrypto*
lrwxrwxrwx. 1 root root 19 Jul 9 20:24 /lib/libcrypto.so.10 -> libcrypto.so.1.0.0d
-rwxr-xr-x. 1 root root 1589068 Feb 10 2011 /lib/libcrypto.so.1.0.0d
There is only one shared libcrypto library – /lib/libcrypto.so.1.0.0d presented. All other files are symbolic links pointing to the library.
Now create a symbolic link and check the list again:
sudo ln -s /lib/libcrypto.so.1.0.0d /usr/lib/libcrypto.so.4
ls -l /usr/lib/libcrypto*
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 24 Jul 18 23:21 /usr/lib/libcrypto.so.4 -> /lib/libcrypto.so.1.0.0d
4. Create a license file
echo -e "[license]\n$(uname -n) = 0000000000000000" > iourc
5. Create NETMAP file
touch ./NETMAP
6. Hack L3 IOU image
for F in i86bi_linux-*;do bbe -b "/\xfc\xff\x83\xc4\x0c\x85\xc0\x75\x14\x8b/:10" -e "r 7 \x90\x90" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linux-*
7. Hack L2 IOU image
for F in i86bi_linuxl2*;do bbe -b "/\xa1\xff\x83\xc4\x0c\x85\xc0\x75\x17\x8b/:10" -e "r 7 \x74" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linuxl2*
Parameter r 7 replaces bytes starting at position 7 – string 75, with string 74 (counts from zero), in the block of ten bytes – a1 ff 83 c4 0c 85 c0 75 17 8b.
8. Redirect data to localhost
When IOU image is started, IOU image sends data to xml.cisco.com. You need to make "fake" DNS entry for xml.cisco.com to avoid this behaviour.
echo "127.0.0.1 xml.cisco.com" >> /etc/hosts
9. Run IOU image
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 200
2222 – TCP port on which is wrapper listening 200 – application ID
In this case, none of the group of the interfaces are specified. They are two group of Ethernet interfaces created in IOU image by default. Each group always consists from four interfaces . The same is true for Serial interfaces.
File nvram_00200 is created and consists of saved configuration.
Examples:
a)
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 1 -s 1 200
-e 1 Ethernet0/0, Ethernet0/1, Ethernet0/2, Ethernet0/3
-s 1 Serial1/0, Serial1/1, Serial1/2, Serial1/3
b)
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 0 -s 0 200
In this example no interface is created for IOU image.
10. Telnet to IOU image
telnet localhost 2222
Hit key enter.
11. Stopping wrapper
Ctrl-C or if wrapper is running on the background kill the process.
ps -aux | grep wrapper-linux | grep 200 | kill `echo $(cut -d " " -f2)`
Links:
http://brezular.wordpress.com
These steps are based on tutorial "Defeating Cisco IOU’s License Protection" and are adapted for Fedora Linux. After the video from you-tube was deleted the creator of video made the "patch" which you can check here.
Please, consider using IOU – it is meant for internal use only thus it is probably illegal to use in case you are not Cisco employee or partner. For further information about licensing, please visit this site. http://evilrouters.net/2011/01/18/cisco-iou-faq/
1. Download bbe – hex editor
wget http://sourceforge.net/projects/bbe-/files/bbe/0.1.8/bbe-0.1.8-2.i386.rpm/download
2. Install rpm package
sudo rpm -ihv ./bbe-0.1.8-2.i386.rpm
3. Install openssl-devel packages and create symbolic link
The shared library libcrypto.so4 must presented either in /usr/lib/ or in /lib/. It is provided by openssl-devel package.
sudo yum install openssl-devel
Now check the list of shared libcrypto libraries presented in your system.
ls -l /usr/lib/libcrypto*
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib/libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib/libcrypto.so.1.0.0d
ls -l /lib/libcrypto*
lrwxrwxrwx. 1 root root 19 Jul 9 20:24 /lib/libcrypto.so.10 -> libcrypto.so.1.0.0d
-rwxr-xr-x. 1 root root 1589068 Feb 10 2011 /lib/libcrypto.so.1.0.0d
There is only one shared libcrypto library – /lib/libcrypto.so.1.0.0d presented. All other files are symbolic links pointing to the library.
Now create a symbolic link and check the list again:
sudo ln -s /lib/libcrypto.so.1.0.0d /usr/lib/libcrypto.so.4
ls -l /usr/lib/libcrypto*
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.0.9.8 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 25 Aug 30 21:45 /usr/lib/libcrypto.so.10 -> /lib//libcrypto.so.1.0.0d
lrwxrwxrwx. 1 root root 24 Jul 18 23:21 /usr/lib/libcrypto.so.4 -> /lib/libcrypto.so.1.0.0d
4. Create a license file
echo -e "[license]\n$(uname -n) = 0000000000000000" > iourc
5. Create NETMAP file
touch ./NETMAP
6. Hack L3 IOU image
for F in i86bi_linux-*;do bbe -b "/\xfc\xff\x83\xc4\x0c\x85\xc0\x75\x14\x8b/:10" -e "r 7 \x90\x90" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linux-*
7. Hack L2 IOU image
for F in i86bi_linuxl2*;do bbe -b "/\xa1\xff\x83\xc4\x0c\x85\xc0\x75\x17\x8b/:10" -e "r 7 \x74" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linuxl2*
Parameter r 7 replaces bytes starting at position 7 – string 75, with string 74 (counts from zero), in the block of ten bytes – a1 ff 83 c4 0c 85 c0 75 17 8b.
8. Redirect data to localhost
When IOU image is started, IOU image sends data to xml.cisco.com. You need to make "fake" DNS entry for xml.cisco.com to avoid this behaviour.
echo "127.0.0.1 xml.cisco.com" >> /etc/hosts
9. Run IOU image
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 200
2222 – TCP port on which is wrapper listening 200 – application ID
In this case, none of the group of the interfaces are specified. They are two group of Ethernet interfaces created in IOU image by default. Each group always consists from four interfaces . The same is true for Serial interfaces.
File nvram_00200 is created and consists of saved configuration.
Examples:
a)
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 1 -s 1 200
-e 1 Ethernet0/0, Ethernet0/1, Ethernet0/2, Ethernet0/3
-s 1 Serial1/0, Serial1/1, Serial1/2, Serial1/3
b)
./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2222 — -e 0 -s 0 200
In this example no interface is created for IOU image.
10. Telnet to IOU image
telnet localhost 2222
Hit key enter.
11. Stopping wrapper
Ctrl-C or if wrapper is running on the background kill the process.
ps -aux | grep wrapper-linux | grep 200 | kill `echo $(cut -d " " -f2)`
Links:
http://brezular.wordpress.com
Subscribe to:
Post Comments (Atom)
0 comments
Post a Comment