It has been more than a year since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability. This paper is a result of research carried out by IRM to analyze and understand the check_heaps() attack and its impact on similar embedded devices.
You can download it from the following link: https://packetstormsecurity.com/files/download/57315/Cisco_IOS_Exploitation_Techniques.pdf
Source: https://packetstormsecurity.com/files/57315/Cisco_IOS_Exploitation_Techniques.pdf.html