 Hello, in this video I want to show you what Cisco iOS, how you can break into rom-mom and execute some privileges command to read and modify memory. So let's start here, I will show you memory, okay, so and at this address here we have memory that we are going to inspect. So let's calculate the size, so that's E988, E7C4, so 988 minus 7C4, okay, so that's 1C4 in hex. So let's copy this address, okay. Now I'm going to break in rom-mom, now I can break in rom-mom here while iOS is running because I modified the config register that allows me to do that. Usually normally you can only break into rom-mom when the router is booting, when iOS is booting. And also you need to be connected via the console, it will not work via telnet or SSH. Okay, so now I'm into rom-mom, iOS now it's stopped, it's no longer running, but I am executing the rom. Now to go into privilege mode, see here a list of commands. The privilege command PRIV is not mentioned, but it exists as a hidden command and you need to know a password for it. And the password can be calculated here with the cookie value. So you type cookie and you get these values and you add the five first words. So this hex value here, that's one word, second, a third, fourth and a fifth. So we want to add those values. So that's 0, 1, 0, 1 plus 0, 0, 0e plus d7, 15, sorry d7, 15 plus cc, 0, 0 plus 43, 20. So that gives us e7, 4, 4. And the password is the last four hex digits, these are actually hex values, e7, 4, 4. So you can type the PRIV command now, password is asked and you type e7, 4, 4. Since it is a hex that you're typing, it is not case sensitive. And now we are in that full privilege mode and if you look now at the command, you can see that if you have many more commands. One of the commands to dump memory is the dump command. The address we want to dump, that's the address here that we saved, no, not this one. So let's go back, okay, this address here, yep, like that. And the size we calculated, 1c4, and we want to see the bytes. Okay, so now we dumped that segment of the heap. So that block in the heap here, and here you see ab1234cd. There is the typical magic sequence that indicates the beginning of a block of memory in the heap. And all the way at the end you have this value here, fd01, then df. This is the canary value. When this value, this is the end of the block in the heap, and when this value gets halter, so for example when it gets overwritten by a buffer overflow, the integrity checks of Cisco iOS will detect this, and this will cause the router to crash, so iOS to crash. So we will change those values, halter, so this is the address, and bytes, so we will just override them with zeros, and then quit. Okay, so now we have displayed the memory, and we have also changed the memory. Now we will return to Cisco iOS with a continue command, like this here, and we are back into Cisco iOS. And now in a couple of seconds the integrity checks will detect that the heap is longer consistent, and a crash will occur. Okay, here it is. So this is the crash happening, and after the crash a file will be written to flash with the crash dump information. This is the crash info file, and then Cisco iOS will reload. Okay, and here we are again in the boot sub, so here you see that the system received a software forced crash, and that it is reloading. So this is how you break into Romul, go into privileged mode, and then for example display and halter memory.