Grey Repo

Files

cli/libfish.src cli/proxy.src cli/npcRshell.src cli/searchMails.src cli/hostImg.src cli/hack.src libs/scan.src src/machine.src src/docDB.src

cli/libfish.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
~~import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json~~
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/libs/meta.src") // exports Meta
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
ENTRIES_DISK.init(home_dir + "/Config", "entries")
get_shell.host_computer.create_folder(home_dir + "/Config", "libs")
LIB_STORE_PATH = home_dir + "/Config/libs"
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.libfish_sig = {}
Command.libfish_sig["description"] = "hack random npcs to find libs"
lib_param_desc = []
lib_param_desc.push "libs to search for, if this param is present the command will only search for the specific libs passed "
lib_param_desc.push "but you can pass as many lib names as you want, the valid params are: "
lib_param_desc.push Service.lib_dict.indexes.join(", ")
lib_param_desc = lib_param_desc.join("")
Command.libfish_sig["args"] = [["lib", lib_param_desc]]
Command.libfish_sig["options"] = []
Command.libfish = function(args = [], options = {})
if args.len > 0 then
for arg in args
if Service.lib_dict.hasIndex(arg) == 0 then exit("invalid param, look at the docs")
end for
for i in Service.lib_dict.indexes
if args.indexOf(i) == null then Service.lib_dict.remove(i)
end for
end if
while true
machine = new Machine
~~machine.init(rnd_ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(rnd_ip)
for s in machine.services
known_libs = get_shell.host_computer.File(LIB_STORE_PATH).get_files
for i in known_libs.indexes
known_libs[i] = known_libs[i].name
end for
s.set_exploits
if not Service.lib_dict.hasIndex(s.info.split(" ")[0]) then continue
key = s.info.replace(".", "").replace(" ", "")
if known_libs.indexOf(key) then continue
so_name = Service.lib_dict[s.info.split(" ")[0]]
~~sh = s.quick_root_shell(TABLEATTACK_SCRIPT)~~
sh = s.quick_root_shell
if typeof(sh) != "shell" then continue
sh.scp("/lib/" + so_name, LIB_STORE_PATH, get_shell)
sh.clear_logs(EMPTY_LOG_PATH)
get_shell.host_computer.File(LIB_STORE_PATH + "/" + so_name).rename(key)
end for
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "libfish")

cli/proxy.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
~~import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json~~
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/libs/meta.src") // exports Meta
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
~~ENTRIES_DISK.init(home_dir + "/Config", "entries")~~
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
get_shell.host_computer.touch(home_dir + "/Config", "proxy.txt")
PROXY_FILE = get_shell.host_computer.File(home_dir + "/Config/proxy.txt")
Command = {}
Command.proxy_sig = {}
Command.proxy_sig["description"] = "hack a random router to use to hide you ip"
Command.proxy_sig["args"] = []
Command.proxy_sig["options"] = [{["-w", "--wipe"]: "wipe the server logs instead of connecting"}]
Command.proxy = function(args = [], options = {})
re_hack = function(ip)
machine = new Machine
~~machine.init(ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
~~root_shell = machine.quick_attack(true, TABLEATTACK_SCRIPT)~~
machine.init(ip)
root_shell = machine.quick_attack(true)
if root_shell == null then exit("could not reconnect")
root_shell.clear_logs(EMPTY_LOG_PATH)
if options["-w"] then exit
root_shell.start_terminal
end function
proxies = PROXY_FILE.get_content.split(char(10)).compact
if proxies.len > 0 then
print "you arealdy have hacked proxies, do you want to reuse them?" + char(10)
for i in proxies.indexes
proxies[i] = [@re_hack, proxies[i], proxies[i]]
end for
proxies.push ["return", null, "hack a new one"]
option_selector proxies
end if
while true
machine = new Machine
~~machine.init(rnd_ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(rnd_ip)
~~root_shell = machine.quick_attack(true, TABLEATTACK_SCRIPT)~~
root_shell = machine.quick_attack(true)
if root_shell == null then continue
PROXY_FILE.set_content(PROXY_FILE.get_content + char(10) + machine.ip)
machine.save_exploits
root_shell.clear_logs(EMPTY_LOG_PATH)
root_shell.start_terminal
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "proxy")

cli/npcRshell.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
RSERVER_INSTALLER_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/rserverInstaller.src")
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
~~ENTRIES_DISK.init(home_dir + "/Config", "entries")~~
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
get_shell.host_computer.touch(home_dir + "/Config", "rservers.txt")
RSERVERS_FILE = get_shell.host_computer.File(home_dir + "/Config/rservers.txt")
Command = {}
Command.npcRsrv_sig = {}
Command.npcRsrv_sig["description"] = "hack a random pc and setup rshell server in it"
Command.npcRsrv_sig["args"] = []
Command.npcRsrv_sig["options"] = [{["-w", "--wipe"]: "wipe the server logs instead of connecting"}]
Command.npcRsrv = function(args = [], options = {})
re_hack = function(s)
ip = s.split(":")[0]
port = s.split(":")[1].to_int
machine = new Machine
~~machine.init(ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(ip)
server_service = null
for s in machine.services
if s.port == port then server_service = s
end for
server_service.set_exploits
~~server_shell = server_service.quick_root_shell(TABLEATTACK_SCRIPT)~~
server_shell = server_service.quick_root_shell
router_shell = machine.router_service
router_shell.set_exploits
~~router_shell = router_shell.quick_root_shell(TABLEATTACK_SCRIPT)~~
router_shell = router_shell.quick_root_shell
router_shell.clear_logs(EMPTY_LOG_PATH)
server_shell.clear_logs(EMPTY_LOG_PATH)
if options["-w"] then exit
server_shell.start_terminal
end function
rservers = RSERVERS_FILE.get_content.split(char(10)).compact
if rservers.len > 0 then
print "you arealdy have hacked rservers, do you want to reuse them?" + char(10)
for i in rservers.indexes
rservers[i] = [@re_hack, rservers[i], rservers[i]]
end for
rservers.push ["return", null, "hack a new one"]
option_selector rservers
end if
while true
machine = new Machine
~~machine.init(rnd_ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(rnd_ip)
if machine.open_services.len == 0 then continue
router_shell = machine.router_service
router_shell.set_exploits
~~router_shell = router_shell.quick_root_shell(TABLEATTACK_SCRIPT)~~
router_shell = router_shell.quick_root_shell
if router_shell == null then continue
router_shell.clear_logs(EMPTY_LOG_PATH)
server_shell = null
server_port = null
for s in machine.open_services
s.set_exploits
~~shell = s.quick_root_shell(TABLEATTACK_SCRIPT)~~
shell = s.quick_root_shell
if shell != null then
server_shell = shell
server_port = s.port
break
end if
end for
if server_shell == null then continue
server_shell.clear_logs(EMPTY_LOG_PATH)
machine.save_exploits
server_shell.install_rserver(RSERVER_INSTALLER_SCRIPT)
RSERVERS_FILE.set_content(RSERVERS_FILE.get_content + char(10) + machine.ip + ":" + server_port)
server_shell.start_terminal
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "npcRsrv")

cli/searchMails.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
~~ENTRIES_DISK.init(home_dir + "/Config", "entries")~~
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.searchMails_sig = {}
Command.searchMails_sig["description"] = "target router bounce exploits to get mails"
Command.searchMails_sig["args"] = ["ip*"]
Command.searchMails_sig["options"] = []
next_ip = function(ip)
numbers = ip.split(".")
numbers[-1] = numbers[-1].to_int + 1
return numbers.join(".")
end function
Command.searchMails = function(args = [], options = {})
machine = new Machine
~~machine.init(args[0], PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(args[0])
machine.scan_strategy = "scan_everytime"
router_ips = machine.nmap.router.devices_lan_ip
//p machine.router_service
p machine.router_service.info
// find computer bounce exploits
exploits = []
machine.router_service.set_exploits
for x in machine.router_service.exploits
for i in router_ips
x.set_result next_ip(i)
if typeof(x.result) == "computer" then
exploits.push x
break
end if
end for
end for
p exploits.inspect(["value", "address"])
// war dial ips
computers = []
for x in exploits
for ip in router_ips
for i in range(10)
ip = next_ip(ip)
x.set_result(ip)
if typeof(x.result) == "computer" then computers.push x.result
end for
end for
end for
creds = []
mails = []
banks = []
for c in computers
passwdfile = c.File("/etc/passwd")
if passwdfile.has_permission("r") then
passwdfile = passwdfile.get_content.replace(char(10), " from " + c.local_ip + char(10))
creds = passwdfile.split(char(10))
end if
for user_home in c.File("/home").get_folders
mail_file = c.File("/home/" + user_home.name + "/Config/Mail.txt")
bank_file = c.File("/home/" + user_home.name + "/Config/Bank.txt")
if mail_file then mails.push mail_file.get_content + " from " + c.local_ip
if bank_file then banks.push bank_file.get_content + " from " + c.local_ip
end for
end for
mails = mails.uniq
banks = banks.uniq
print "CREDENTIALS"
print creds.join(char(10))
print "BANKS"
print banks.join(char(10))
print "MAILS"
print mails.join(char(10))
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "searchMails")

cli/hostImg.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
~~ENTRIES_DISK.init(home_dir + "/Config", "entries")~~
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
get_shell.host_computer.touch(home_dir + "/Config", "sites.txt")
SITES_FILE = get_shell.host_computer.File(home_dir + "/Config/sites.txt")
Command = {}
Command.hostImg_sig = {}
Command.hostImg_sig["description"] = "hack a random site"
Command.hostImg_sig["args"] = []
Command.hostImg_sig["options"] = [{["-w", "--wipe"]: "wipe the server logs instead of connecting"}]
Command.hostImg = function(args = [], options = {})
re_hack = function(ip)
machine = new Machine
~~machine.init(ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(ip)
site_service = null
for s in machine.services
if s.port == 80 then
site_service = s
end if
end for
site_service.set_exploits
~~site_shell = site_service.quick_root_shell(TABLEATTACK_SCRIPT)~~
site_shell = site_service.quick_root_shell
site_shell.clear_logs(EMPTY_LOG_PATH)
router_shell = machine.router_service
router_shell.set_exploits
~~router_shell = router_shell.quick_root_shell(TABLEATTACK_SCRIPT)~~
router_shell = router_shell.quick_root_shell
router_shell.clear_logs(EMPTY_LOG_PATH)
if options["-w"] then exit
site_shell.start_terminal
end function
sites = SITES_FILE.get_content.split(char(10)).compact
if sites.len > 0 then
print "you arealdy have hacked proxies, do you want to reuse them?" + char(10)
for i in sites.indexes
sites[i] = [@re_hack, sites[i], sites[i]]
end for
sites.push ["return", null, "hack a new one"]
option_selector sites
end if
while true
machine = new Machine
~~machine.init(rnd_ip, PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(rnd_ip)
site_service = null
for s in machine.services
if s.port == 80 then
site_service = s
end if
end for
if not site_service then continue
site_service.set_exploits
~~site_shell = site_service.quick_root_shell(TABLEATTACK_SCRIPT)~~
site_shell = site_service.quick_root_shell
if site_shell == null then continue
site_shell.clear_logs(EMPTY_LOG_PATH)
router_shell = machine.router_service
router_shell.set_exploits
~~router_shell = router_shell.quick_root_shell(TABLEATTACK_SCRIPT)~~
router_shell = router_shell.quick_root_shell
if router_shell == null then continue
router_shell.clear_logs(EMPTY_LOG_PATH)
SITES_FILE.set_content(SITES_FILE.get_content + char(10) + machine.ip)
machine.save_exploits
site_shell.start_terminal
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "hostImg")

cli/hack.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
~~import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json~~
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/libs/meta.src") // exports Meta
import_code("/home/me/h/src/shell.src") // extend map
~~TABLEATTACK_SCRIPT = get_shell.host_computer.File(home_dir + "/Config/tableAttack.src")~~
EMPTY_LOG_PATH = home_dir + "/Config/emptyLog"
~~PASSWORDS_DISK = new Disk~~
~~PASSWORDS_DISK.init(home_dir + "/Config", "passwords")~~
~~EXPLOITS_DISK = new Disk~~
~~EXPLOITS_DISK.init(home_dir + "/Config", "exploits")~~
~~ENTRIES_DISK = new Disk~~
~~ENTRIES_DISK.init(home_dir + "/Config", "entries")~~
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.hack_sig = {}
Command.hack_sig["description"] = "hack shit"
Command.hack_sig["args"] = ["ip*"]
Command.hack_sig["options"] = []
Command.hack = function(args = [], options = {})
machine = new Machine
~~machine.init(args[0], PASSWORDS_DISK, EXPLOITS_DISK, ENTRIES_DISK)~~
machine.init(args[0])
services = machine.services
f = function(o)
return [o, o.lan_ip + " " + o.info + " " + o.port]
end function
services = services.map(@f)
print "target which lib?"
service = user_select(services)
service.set_exploits
shell = null
print "do you want to auto root ? (only works on npcs)"
if user_select([[true, "yes"], [false, "no"]]) then
~~shell = service.quick_root_shell(TABLEATTACK_SCRIPT)~~
shell = service.quick_root_shell
else
for x in service.exploits
x.set_result
if typeof(x.result) == shell then shell = x.result
end for
end if
if shell == null then
exit("no shells")
end if
print "do you want to clear the logs?"
if user_select([[true, "yes"], [false, "no"]]) then
shell.clear_logs(EMPTY_LOG_PATH)
end if
shell.start_terminal
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "hack")

libs/scan.src

lmap = function(list, func)
result = list[0:] //list copy.
for i in indexes(list)
result[i] = func(result[i])
end for
return result
end function
_or = function(value1, value2)
if value1 == null or value1 == false then
return value2
end if
return value1
end function
// converts scan_address output to a list easier to process
// usage example:
// mem_scan = metaxploit.scan_address(metaLib, entry)
// mem_scan = mem_scan_exploits(mem_scan)
mem_scan_exploits = function(mem_scan)
ex_list = []
while true
ex_mark = mem_scan.indexOf("<b>")
if ex_mark == null then break
// get exploit value
ex_mark_end = mem_scan.indexOf("</b>")
value = slice(mem_scan, ex_mark+3, ex_mark_end)
// get requirements
mem_scan = mem_scan[ex_mark_end+5:]
mem_scan = mem_scan[mem_scan.indexOf(".")+1:]
mem_scan_lines = mem_scan.split(char(10))[1:]
if mem_scan_lines[0].indexOf("*") != null then
req = mem_scan_lines[:mem_scan_lines.indexOf("")]
else
req = []
end if
if req.len >= 1 then
mem_scan = mem_scan[mem_scan.indexOf(req[-1])+req[-1].len+1:]
end if
exploit = [value, req]
//["exploit_name": ["requirement", "requirement"]]
ex_list.push(exploit)
end while
return ex_list
//[
// {"exploit_name": ["requirement", "requirement"]},
// {"exploit_name": ["requirement", "requirement"]}
//]
end function
ScanExploitResult = {}
// ScanExploitResult.obj : result obj
// ScanExploitResult.info : string containing result info
ScanExploitResult.attrs = ["obj", "info"]
ScanExploitResult.init = function(obj, extra_param = null)
self.obj = obj
self.extra_param = extra_param
end function
ScanExploitResult.check_user = function(computer)
if computer.touch("/home/guest", "anonymous.dat") then
file = computer.File("/home/guest/anonymous.dat")
return file.owner
end if
return "unknown"
end function
ScanExploitResult.check_permissions = function(computer)
out = ""
c_home = computer.File("/home")
if c_home != null and c_home.has_permission("r") then
out = out + " /home"
end if
c_passwd = computer.File("/etc/passwd")
if c_passwd != null and c_passwd.has_permission("r") then
out = out + " /etc/passwd"
end if
c_libs = computer.File("/lib")
if c_libs != null and c_libs.has_permission("r") then
out = out + " /lib"
end if
if out != "" then
out = "permission on" + out
end if
return out
end function
ScanExploitResult.set_info = function(extra_param = null)
out = ""
type = typeof(self.obj)
if type == "file" then
if self.obj.is_folder then
out = "folder"
end if
permission = " without permission"
if self.obj.has_permission("r") then permission = " with permission"
out = out + permission
out = out + " " + self.obj.path
end if
if type == "shell" or type == "computer" then
comp = self.obj
if type == "shell" then comp = self.obj.host_computer
user = self.check_user(comp)
out = out + user + " user"
out = out + " " + self.check_permissions(comp)
end if
if type == "number" then
out = out + self.obj
if extra_param == null then extra_param = "null"
out = out + " extra_param: " + extra_param
end if
self.info = out
end function
ScanExploit = {}
// ScanExploit.address : "0x62AC77E1"
// ScanExploit.value : "applyund"
// ScanExploit.requirements : ["* req1", "* req2"]
// ScanExploit.result :shell, computer, number, null, file object
// ScanExploit.result_class : result obj wrapped in a class with some useful methods
ScanExploit.attrs = ["requirements_len", "result"]
ScanExploit.init = function(scan, options)
self.scan = scan
self.address = options.address
self.value = options.value
self.requirements = options.requirements
self.requirements_len = self.requirements.len
end function
ScanExploit.set_result = function(extra_param = null)
result = self.scan.meta_lib.overflow(self.address, self.value)
if result == null then
if extra_param != null and extra_param != "" then
result = self.scan.meta_lib.overflow(self.address, self.value, extra_param)
end if
end if
self.result = result
self.result_class = new ScanExploitResult
self.result_class.init(result)
self.result_class.set_info(extra_param)
self.set_result_callback
end function
ScanExploit.set_result_callback = function()
end function
Scan = {}
Scan.attrs = ["ip", "port", "lib_version", "lib_name"]
Scan.lib_path = null
Scan.lib_file = null
Scan.show_null = false
Scan.shell = get_shell
Scan.computer = Scan.shell.host_computer
// Scan.lib_file = null : local libe, set when scanning a local lib
// Scan.net_session : remote lib, set when scaning a remote ip
// Scan.metaxploit : required metaxploit lib obj
// Scan.meta_lib : set after running execute method
// Scan.lib_name : set after running execute method
// Scan.lib_version : set after running execute method
// Scan.exploits : list of all exploits found, set after execute method
Scan.init = function(ip, port)
self.ip = ip
self.port = port
if self.ip != null then
self.net_session = _or(self.metaxploit.net_use(self.ip, self.port), self.metaxploit.net_use(self.ip))
else
self.lib_file = self.computer.File(self.lib_path)
end if
self.set_lib
end function
Scan.set_lib = function()
if self.lib_file != null then
self.meta_lib = metaxploit.load(self.lib_file.path)
else
self.meta_lib = self.net_session.dump_lib
end if
self.lib_name = self.meta_lib.lib_name
self.lib_version = self.meta_lib.version
end function
Scan.execute = function()
self.addresses = self.metaxploit.scan(self.meta_lib)
// ["0x62AC77E1", "0x50D166E8", "0x611B6063", "0x1A9FD00C"]
self.get_exploits
end function
Scan.get_exploits = function()
scope = self
get_values = function(address)
exploits_text = scope.metaxploit.scan_address(scope.meta_lib, address)
exploits_values = mem_scan_exploits(exploits_text)
return [address, exploits_values]
end function
self.exploits = lmap(self.addresses, @get_values)
// [0x611B6063, [[applyund, [* req1, * req2]], ...], ...], ...}]
result = []
for exploit_values in self.exploits
for value in exploit_values[1]
exploit = new ScanExploit
exploit.init(self, {"address": exploit_values[0], "value": value[0], "requirements": value[1]})
result.push(exploit)
end for
end for
return result
//self.exploits = []
end function

src/machine.src

MachineServices = {}
//class eval shit
exploits_inspect = function(obj, scope)
exploits_len = 0
if scope.hasIndex("exploits") then exploits_len = scope.exploits.len
return scope.exploits.len
end function
Service.attrs.push("exploits")
Service.load_exploits_from_cache = function()
exploits = self.machine.exploits_cache
if exploits.hasIndex(self.info_to_key) == 0 then return 0
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.exploits = []
for x in exploits[self.info_to_key]
exploit = new ScanExploit
exploit.init(self.scan, x)
self.exploits.push(exploit)
end for
return 1
end function
Service.load_exploits_from_scan = function()
exploits = self.machine.exploits_cache
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.scan.execute
self.exploits = self.scan.get_exploits
end function
Service.set_exploits = function()
// skip_if_no_cache scan_only_if_no_cache scan_everytime
if self.machine.scan_strategy == "scan_everytime" then
self.load_exploits_from_scan
else if self.machine.scan_strategy == "skip_if_no_cache" then
self.load_exploits_from_cache
else if self.machine.scan_strategy == "scan_only_if_no_cache" then
if self.load_exploits_from_cache == 0 then self.load_exploits_from_scan
end if
end function
// require passwords list set in custom_object
~~Service.quick_root_shell = function(attack_script)~~
Service.quick_root_shell = function
attack_script = self.machine.TABLEATTACK_SCRIPT
for x in self.exploits
x.set_result
if typeof(x.result) != "shell" then continue
remote_shell = x.result
remote_comp = remote_shell.host_computer
~~// save entry~~
~~entries = self.machine.json.to_object(self.machine.entries_disk.read_chars)~~
~~key = entries.indexes.len~~
~~entry = {}~~
~~entry.local_ip = remote_comp.local_ip~~
~~entry.public_ip = remote_comp.public_ip~~
~~entry.exploit = {"address": x.address, "value": x.value, "port": str(self.port)}~~
~~entries[key] = entry~~
~~self.machine.entries_disk.nuke~~
~~self.machine.entries_disk.write(self.machine.json.to_string(entries))~~
if remote_comp.File("/home/guest/tableAttack.src") != null then
remote_comp.File("/home/guest/tableAttack.src").delete
end if
remote_comp.touch("/home/guest", "tableAttack.src")
remote_comp.File("/home/guest/tableAttack.src").set_content(attack_script.get_content)
print "building script"
remote_shell.build("/home/guest/tableAttack.src", "/home/guest")
remote_shell.launch("/home/guest/tableAttack")
// update entry
~~entries = self.machine.json.to_object(self.machine.entries_disk.read_chars)~~
password = get_custom_object.password
~~if password == null then password = ""~~
~~entries[key].credentials = {"user": "root", "password": password}~~
~~self.machine.entries_disk.nuke~~
~~self.machine.entries_disk.write(self.machine.json.to_string(entries))~~
// save credentials in a db
//pas = get_custom_object.password
//if pas == null then pas = ""
//self.machine.entries_db.obj[key].credentials = {"user": "root", "password": pas}
//self.machine.entries_db.save
root_shell = get_custom_object.shell
return root_shell
end for
return null
end function
ScanExploit.set_result_callback = function()
// save entry
if typeof(self.result) != "shell" then return
self.scan.machine.entries_db.reload
key = self.scan.machine.entries_db.obj.indexes.len
entry = {}
entry.local_ip = self.result.host_computer.local_ip
entry.public_ip = self.result.host_computer.public_ip
entry.exploit = {"address": self.address, "value": self.value, "port": str(self.scan.port)}
self.scan.machine.entries_db.obj[key] = entry
self.scan.machine.entries_db.save
end function
Machine = {}
Machine.exploits_cache = function
~~return self.json.to_object(self.exploits_disk.read_chars)~~
return self.exploits_db.get
end function
//Machine.passwords_list : required passwords list
//Machine.table_attack_script : required table attack script
Machine.services_inspect = function(obj, scope)
f = function(o)
exploits_len = 0
if o.hasIndex("exploits") then exploits_len = o.exploits.len
return o.inspect(["info", [exploits_len, "exploits_len"], "port"])
end function
return scope.services.map(@f)
end function
Machine.attrs = ["ip", [@Machine.services_inspect, "services"]]
Machine.metaxploit = null //required
Machine.config_path = home_dir + "/Config"
Machine.shell = get_shell
Machine.computer = Machine.shell.host_computer
Machine.init = function(ip)
self.TABLEATTACK_SCRIPT = self.computer.File(home_dir + "/Config/tableAttack.src")
self.PASSWORDS_DISK = new Disk
self.PASSWORDS_DISK.init(self.config_path, "passwords")
self.EXPLOITS_DISK = new Disk
self.EXPLOITS_DISK.init(self.config_path, "exploits")
self.ENTRIES_DISK = new Disk
self.ENTRIES_DISK.init(self.config_path, "entries")
~~Machine.init = function(ip, passwords_disk, exploits_disk, entries_disk)~~
// skip_if_no_cache scan_only_if_no_cache scan_everytime
self.scan_strategy = "scan_only_if_no_cache"
self.ip = ip
self.set_services
~~self.passwords_disk = passwords_disk~~
self.passwords = self.passwords_disk.read_chars.split(char(10))
self.passwords = self.PASSWORDS_DISK.read_chars.split(char(10))
~~self.exploits_disk = exploits_disk~~
~~if self.exploits_disk.read_chars.len == 0 then~~
~~self.exploits_disk.write("{}")~~
~~end if~~
self.exploits_db = new DocDB
self.exploits_db.init(self.EXPLOITS_DISK)
~~self.entries_disk = entries_disk~~
~~if self.entries_disk.read_chars.len == 0 then~~
~~self.entries_disk.write("{}")~~
~~end if~~
self.entries_db = new DocDB
self.entries_db.init(self.ENTRIES_DISK)
~~self.json = new JSON~~
if not get_custom_object.hasIndex("passwords") then
get_custom_object.passwords = self.passwords
end if
end function
Machine.save_exploits = function()
self.exploits_db.reload
for s in self.services
key = s.info_to_key
exploits = []
if s.hasIndex("exploits") == 0 then continue
for x in s.exploits
x_obj = {}
x_obj["address"] = x.address
x_obj["value"] = x.value
x_obj["requirements"] = x.requirements
x_obj["requirements_len"] = x.requirements_len
if x.hasIndex("result") == 1 then x_obj["result"] = typeof(x.result)
exploits.push x_obj
end for
exploits_db = self.json.to_object(self.exploits_disk.read_chars)
exploits_db[key] = exploits
~~self.exploits_disk.nuke~~
~~self.exploits_disk.write(self.json.to_string(exploits_db))~~
self.exploits_db.obj[key] = exploits
self.exploits_db.save
end for
end function
~~Machine.quick_attack = function(only_routers = true, table_attack_script)~~
Machine.quick_attack = function(only_routers = true)
target_services = self.services
if only_routers == true then
target_services = [self.router_service]
end if
for service in target_services
service.set_exploits
~~root_shell = service.quick_root_shell(table_attack_script)~~
root_shell = service.quick_root_shell
if typeof(root_shell) == "shell" then return root_shell
end for
return null
end function
Machine.set_services = function()
self.nmap = new Nmap
self.nmap.init(self.ip)
self.nmap.machine = self
self.services = self.nmap.services
for s in self.services
s.machine = self
end for
end function
Machine.router_service = function()
for s in self.services
if s.port == null then return s
end for
return null
end function
Machine.open_services = function()
f = function(o)
return o.status == "open"
end function
return self.services.select(@f)
~~end function~~
~~// this will get more complicated later on, i want to choose a port that i have the most change of getting in~~
~~// so i can check a database of exploits see or see the local ip with most ports open etc~~
~~Machine.most_vulnerable_service = function()~~
~~if self.services.len == 1 then return self.services[0]~~
~~if self.services.len == 0 then return null~~
~~with_smallest_version = self.services[0]~~
~~for service in self.services[1:]~~
~~if service.version_to_int < with_smallest_version.version_to_int then~~
~~with_smallest_version = service~~
~~end if~~
~~end for~~
~~return with_smallest_version~~
end function

src/docDB.src

~~DocDB = {}~~
~~DocDB.json = new JSON~~
~~DocDB.init = function(disk)~~
~~self.disk = disk~~
~~if self.disk.read_chars.len == 0 then self.disk.write("{}")~~
~~self.obj = self.get~~
~~end function~~
~~DocDB.get = function~~
~~return self.json.to_object(self.disk.read_chars)~~
~~end function~~
~~DocDB.set = function(obj)~~
~~self.disk.nuke~~
~~self.disk.write(self.json.to_string(obj))~~
~~end function~~
~~DocDB.save = function~~
~~self.disk.nuke~~
~~self.disk.write(self.json.to_string(self.obj))~~
~~end function~~
~~DocDB.reload = function~~
~~self.obj = self.get~~
~~end function~~
~~DocDB.is_persisted = function~~
~~return md5(self.get) == self.obj~~
~~end function~~