Sneaky Video by IppSec

Video’s a bit long have 30+ minutes of IPv6 content as its an often neglected topic which lead to an unintentional solution.

00:00 - Intro
00:44 - Recon + Web Enum
01:33 - SQL Injection
05:30 - Start of IPv6 Talk
06:30 - What is an IPv6 IP Address?
11:27 - Types of IPv6 Addresses
14:06 - IPv6 Subnetting Explained
21:20 - End of IPv6 Primer, Exploit time!
22:43 - Method 1: Getting MAC and calculating fe80
30:30 - Method 2: Enumerating Networks by pinging Multicast
33:56 - Extra: Getting Windows to respond from Multicast Ping
38:07 - Extra: NMAP Scanning ipv6 local networks
40:15 - Convert RPM to DEB (Needed for install nmap on tenten)
41:30 - Intended Solution: Getting IPv6 via SNMP
43:58 - No SNMP MIB Output
45:58 - Getting SNMP MIBS Installed and Configured
47:52 - Tool: Enyx - SNMPv6 Enumeration via Python
50:44 - Privesc Enumeration
52:49 - Buffer Overflow

Nice overview of ipv6, took me a while to figure out it was using privacy extensions, and my day-old snmp dump was worthless.

I would also add, this is a nice bof privesc to practice with, all defences are disabled. So even if you’re not used to gdb, you can still pull a ret2libc using strings, readelf, and strace.

Thank you for the video! I have one small question regarding subnetting in IPV6. You mentioned the upper bound for fe80:/10 is febf:ffffff at 15:25 of your video. 1100b is 0x12 in decimal as you said. However, it represents 0xc in hex. How did you manage to get 0xb (the b in febf)?

Thanks for the video. I created my own vuln-program instead of using “chal” as I think in future we may not easier to found the suitable program to exploit. I did a simple .c program and able to simulate the overflow effect on .20 machine.

However, when I run the program and try to found out the BUF_SIZE via pattern_offset.rb it returned the following message

[*] No exact matches, looking for likely candidates…

When I run my own program, the gdb returned the address is 0x800005a4

I believe it would not same as video address but why my program cannot return the offset number?

Following is the super simple program I google it. Any hint is highly appreciated. thanks!

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{
char str[10];
strcpy(str, argv[1]);
printf(“Done\n”);

return 0;
}