Open main menu
Posts
Gists
Guilds
Users
Decipher
Docs
Open user menu
Log in
Sign up
Create a new gist
Posts
Gists
Guilds
Users
Decipher
Docs
Files
cli/libfish.src
libs/nmap.src
src/machine.src
cli/libfish.src
import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/libs/meta.src") // exports Meta
import_code("/home/me/h/src/shell.src") // extend map
get_shell.host_computer.create_folder(home_dir + "/Config", "libs")
LIB_STORE_PATH = home_dir + "/Config/libs"
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.libfish_sig = {}
Command.libfish_sig["description"] = "hack random npcs to find libs"
lib_param_desc = []
lib_param_desc.push "libs to search for, if this param is present the command will only search for the specific libs passed "
lib_param_desc.push "but you can pass as many lib names as you want, the valid params are: "
lib_param_desc.push Service.lib_dict.indexes.join(", ")
lib_param_desc.push Service.
remote_
lib_dict.indexes.join(", ")
lib_param_desc = lib_param_desc.join("")
Command.libfish_sig["args"] = [["lib", lib_param_desc]]
Command.libfish_sig["options"] = []
Command.libfish_sig["options"] = [
{["-l", "--search-local-libs"]: "save local libs aswell"}
]
Command.libfish = function(args = [], options = {})
if args.len > 0 then
for arg in args
if Service.lib_dict.hasIndex(arg) == 0 then exit("invalid param, look at the docs")
if Service.
remote_
lib_dict.hasIndex(arg) == 0 then exit("invalid param, look at the docs")
end for
for i in Service.lib_dict.indexes
if args.indexOf(i) == null then Service.lib_dict.remove(i)
for i in Service.
remote_
lib_dict.indexes
if args.indexOf(i) == null then Service.
remote_
lib_dict.remove(i)
end for
end if
while true
machine = new Machine
machine.init(rnd_ip)
for s in machine.services
known_libs = get_shell.host_computer.File(LIB_STORE_PATH).get_files
known_libs = get_shell.host_computer.File(LIB_STORE_PATH).get_files
for i in known_libs.indexes
known_libs[i] = known_libs[i].name
end for
s.set_exploits
if not Service.lib_dict.hasIndex(s.info.split(" ")[0]) then continue
key = s.info.replace(".", "").replace(" ", "")
if known_libs.indexOf(key) then continue
so_name = Service.lib_dict[s.info.split(" ")[0]]
if options["-l"] == false then
// skip service if not listed on libs
if not Service.remote_lib_dict.hasIndex(s.info.split(" ")[0]) then continue
// skip service if remote lib is already in store
if known_libs.indexOf(key) then continue
end if
sh = s.quick_root_shell
if typeof(sh) != "shell" then continue
sh.scp("/lib/" + so_name, LIB_STORE_PATH, get_shell)
sh.clear_logs(EMPTY_LOG
_PATH)
get_shell.host_computer.File(LIB_STORE_PATH + "/" +
so_name
).rename(key)
machine.save_exploits
if Service.remote_lib_dict.hasIndex(s.info.split(" ")[0]) == true then
if known_libs.indexOf(key) == null and key then
so_name = Service.remote_lib_dict[s.info.split(" ")[0]]
sh.scp("/lib/" + so_name, LIB_STORE_PATH, get_shell)
get_shell.host_computer.File(LIB_STORE_PATH + "/" + so_name).rename(key)
end if
end if
if options["-l"] == true then
for i in Service.local_lib_dict.values
if typeof(sh.host_computer.File("/lib/" + i)) != "file" then continue
sh.scp("/lib/" + i, LIB_STORE
_PATH
, get_shell)
lib = machine.metaxploit.load("/lib/" + i)
key = Service.local_lib_dict.indexOf(i) + lib.version.replace(".", ""
)
if known_libs.indexOf(key) then
get_shell.host_computer.File(LIB_STORE_PATH + "/" +
i).delete
else
get_shell.host_computer.File(LIB_STORE_PATH + "/" + i
).rename(key)
end if
end for
end if
sh.clear_logs
end for
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "libfish")
libs/nmap.src
lmap = function(list, func)
result = list[0:] //list copy.
for i in indexes(list)
result[i] = func(result[i])
end for
return result
end function
Service = {}
// port : port number
// lan_ip
// info : service name and version
// port_obj : port obj
// version_to_int : int of 3 digits
Service.attrs = ["port", "status", "lan_ip", "info"]
Service.init = function(nmap, port = null)
self.nmap = nmap
if port == null then
self.port_obj = null
self.port = null
self.status = null
self.info = "router " + self.nmap.router.kernel_version
self.lan_ip = self.nmap.router.local_ip
else
self.port_obj = port
self.port = self.port_obj.port_number
self.status = "open"
if(self.port_obj.is_closed and not self.nmap.is_lan) then
self.status = "closed"
end if
self.info = self.nmap.router.port_info(self.port_obj)
self.lan_ip = self.port_obj.get_lan_ip
end if
self.version_to_int = self.info.split(" ")[1].split(".").join("").to_int
end function
Service.lib_dict = {"router": "kernel_router.so", "http": "libhttp.so", "ssh": "libssh.so", "repository": "librepository.so"}
Service.
remote_
lib_dict = {"router": "kernel_router.so", "http": "libhttp.so", "ssh": "libssh.so", "repository": "librepository.so"}
Service.local_lib_dict = {"kernel": "kernel_module.so", "net": "net.so", "init": "init.so"}
Service.info_to_key = function()
return self.info.replace(".", "").replace(" ", "")
end function
Nmap = {}
Nmap.init = function(ip)
self.ip = ip
if not is_valid_ip(self.ip) then exit("nmap: invalid ip address")
self.is_lan = is_lan_ip(self.ip)
self.set_router
self.set_ports
self.set_services
end function
Nmap.set_router = function()
if self.is_lan then
self.router = get_router;
else
self.router = get_router(self.ip)
end if
if self.router == null then exit("nmap: ip address not found")
end function
Nmap.set_ports = function()
if not self.is_lan then
self.ports = self.router.used_ports
else
self.ports = self.router.device_ports(self.ip)
end if
if self.ports == null then exit("nmap: ip address not found")
if typeof(self.ports) == "string" then exit(self.ports)
end function
Nmap.set_services = function()
scope = self
port_to_service = function(port)
service = new Service
service.init(scope, port)
return service
end function
self.services = lmap(self.ports, @port_to_service)
service = new Service
service.init(scope)
self.services.push service
end function
src/machine.src
MachineServices = {}
//class eval shit
exploits_inspect = function(obj, scope)
exploits_len = 0
if scope.hasIndex("exploits") then exploits_len = scope.exploits.len
return scope.exploits.len
end function
Service.attrs.push("exploits")
Service.load_exploits_from_cache = function()
exploits = self.machine.exploits_cache
if exploits.hasIndex(self.info_to_key) == 0 then return 0
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.exploits = []
for x in exploits[self.info_to_key]
exploit = new ScanExploit
exploit.init(self.scan, x)
self.exploits.push(exploit)
end for
return 1
end function
Service.load_exploits_from_scan = function()
exploits = self.machine.exploits_cache
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.scan.execute
self.exploits = self.scan.get_exploits
end function
Service.set_exploits = function()
// skip_if_no_cache scan_only_if_no_cache scan_everytime
if self.machine.scan_strategy == "scan_everytime" then
self.load_exploits_from_scan
else if self.machine.scan_strategy == "skip_if_no_cache" then
self.load_exploits_from_cache
else if self.machine.scan_strategy == "scan_only_if_no_cache" then
if self.load_exploits_from_cache == 0 then self.load_exploits_from_scan
end if
end function
// require passwords list set in custom_object
Service.quick_root_shell = function
attack_script = self.machine.TABLEATTACK_SCRIPT
for x in self.exploits
x.set_result
if typeof(x.result) != "shell" then continue
remote_shell = x.result
remote_comp = remote_shell.host_computer
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.reload
if self.machine.credentials_db.obj.hasIndex(key) then
get_custom_object.saved_password = self.machine.credentials_db.obj[key].password
end if
// escalate to root
if remote_comp.File("/home/guest/tableAttack.src") != null then
remote_comp.File("/home/guest/tableAttack.src").delete
end if
remote_comp.touch("/home/guest", "tableAttack.src")
remote_comp.File("/home/guest/tableAttack.src").set_content(attack_script.get_content)
print "building script"
remote_shell.build("/home/guest/tableAttack.src", "/home/guest")
remote_shell.launch("/home/guest/tableAttack")
// save credentials in a db
self.machine.credentials_db.reload
pas = get_custom_object.password
if pas == null then pas = ""
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.obj[key] = {"user": "root", "password": pas}
self.machine.credentials_db.save
root_shell = get_custom_object.shell
return root_shell
end for
return null
end function
ScanExploit.set_result_callback = function()
// save entry
if typeof(self.result) != "shell" then return
self.scan.machine.entries_db.reload
key = self.scan.machine.entries_db.obj.indexes.len
entry = {}
entry.local_ip = self.result.host_computer.local_ip
entry.public_ip = self.result.host_computer.public_ip
entry.exploit = {"address": self.address, "value": self.value, "port": str(self.scan.port)}
self.scan.machine.entries_db.obj[key] = entry
self.scan.machine.entries_db.save
end function
Machine = {}
Machine.exploits_cache = function
return self.exploits_db.get
end function
//Machine.passwords_list : required passwords list
//Machine.table_attack_script : required table attack script
Machine.services_inspect = function(obj, scope)
f = function(o)
exploits_len = 0
if o.hasIndex("exploits") then exploits_len = o.exploits.len
return o.inspect(["info", [exploits_len, "exploits_len"], "port"])
end function
return scope.services.map(@f)
end function
Machine.attrs = ["ip", [@Machine.services_inspect, "services"]]
Machine.metaxploit = null //required
Machine.config_path = home_dir + "/Config"
Machine.shell = get_shell
Machine.computer = Machine.shell.host_computer
Machine.setup_disks = function
print "initiating databases"
Machine.PASSWORDS_DISK = new Disk
Machine.PASSWORDS_DISK.init(self.config_path, "passwords")
Machine.EXPLOITS_DISK = new Disk
Machine.EXPLOITS_DISK.init(self.config_path, "exploits")
Machine.ENTRIES_DISK = new Disk
Machine.ENTRIES_DISK.init(self.config_path, "entries")
Machine.CREDENTIALS_DISK = new Disk
Machine.CREDENTIALS_DISK.init(self.config_path, "credentials")
print "finished"
end function
Machine.setup_disks
Machine.init = function(ip)
self.TABLEATTACK_SCRIPT = self.computer.File(self.config_path + "/tableAttack.src")
self.PASSWORDS_DISK = new Disk
self.PASSWORDS_DISK.init(self.config_path, "passwords")
self.EXPLOITS_DISK = new Disk
self.EXPLOITS_DISK.init(self.config_path, "exploits")
self.ENTRIES_DISK = new Disk
self.ENTRIES_DISK.init(self.config_path, "entries")
self.CREDENTIALS_DISK = new Disk
self.CREDENTIALS_DISK.init(self.config_path, "credentials")
// skip_if_no_cache scan_only_if_no_cache scan_everytime
self.scan_strategy = "scan_only_if_no_cache"
self.ip = ip
self.set_services
self.passwords = self.PASSWORDS_DISK.read_chars.split(char(10))
self.exploits_db = new DocDB
self.exploits_db.init(self.EXPLOITS_DISK)
self.entries_db = new DocDB
self.entries_db.init(self.ENTRIES_DISK)
self.credentials_db = new DocDB
self.credentials_db.init(self.CREDENTIALS_DISK)
if not get_custom_object.hasIndex("passwords") then
print "reading passwords database"
self.passwords = self.PASSWORDS_DISK.read_chars.split(char(10))
get_custom_object.passwords = self.passwords
print "finished"
end if
end function
Machine.save_exploits = function()
self.exploits_db.reload
for s in self.services
key = s.info_to_key
exploits = []
if s.hasIndex("exploits") == 0 then continue
for x in s.exploits
x_obj = {}
x_obj["address"] = x.address
x_obj["value"] = x.value
x_obj["requirements"] = x.requirements
x_obj["requirements_len"] = x.requirements_len
if x.hasIndex("result") == 1 then x_obj["result"] = typeof(x.result)
exploits.push x_obj
end for
self.exploits_db.obj[key] = exploits
self.exploits_db.save
end for
end function
Machine.quick_attack = function(only_routers = true)
target_services = self.services
if only_routers == true then
target_services = [self.router_service]
end if
for service in target_services
service.set_exploits
root_shell = service.quick_root_shell
if typeof(root_shell) == "shell" then return root_shell
end for
return null
end function
Machine.set_services = function()
self.nmap = new Nmap
self.nmap.init(self.ip)
self.nmap.machine = self
self.services = self.nmap.services
for s in self.services
s.machine = self
end for
end function
Machine.router_service = function()
for s in self.services
if s.port == null then return s
end for
return null
end function
Machine.open_services = function()
f = function(o)
return o.status == "open"
end function
return self.services.select(@f)
end function