Files

cli/hack.src libs/scan.src
cli/hack.src
  • import_code("/home/me/h/src/utils.src") // exports map.inspect, p
  • import_code("/home/me/h/libs/list.src") // exports list utils and map utils
  • import_code("/home/me/h/libs/disk.src") // exports Disk, Block
  • import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
  • import_code("/home/me/h/libs/scan.src") // exports Scan
  • import_code("/home/me/h/libs/json.src") // exports Json
  • import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
  • import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
  • import_code("/home/me/h/src/docDB.src") // exports DocDB
  • import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
  • import_code("/home/me/h/libs/meta.src") // exports Meta
  • import_code("/home/me/h/src/shell.src") // extend map
  • Machine.metaxploit = include_lib("/lib/metaxploit.so")
  • Scan.metaxploit = include_lib("/lib/metaxploit.so")
  • Command = {}
  • Command.hack_sig = {}
  • Command.hack_sig["description"] = "hack shit"
  • Command.hack_sig["args"] = ["ip*"]
  • Command.hack_sig["options"] = []
  • Command.hack = function(args = [], options = {})
  • machine = new Machine
  • machine.init(args[0])
  • services = machine.services
  • f = function(o)
  • is_cached = "not cached"
  • if machine.exploits_db.obj.hasIndex(o.info_to_key) then
  • is_cached = "<color=green>cached</color>"
  • end if
  • return [o, o.lan_ip + ":" + o.port + " " + o.info + " " + is_cached]
  • end function
  • services = services.map(@f)
  • print "target which lib?"
  • service = user_select(services)
  • service.set_exploits
  • shell = null
  • if user_confirmation("do you want to auto root ? (only works on npcs)") then
  • shell = service.quick_root_shell
  • else
  • for x in service.exploits
  • x.set_result
  • if typeof(x.result) == shell then shell = x.result
  • if typeof(x.result) == "shell" then shell = x.result
  • end for
  • end if
  • if shell == null then
  • exit("no shells")
  • end if
  • machine.save_exploits
  • if user_confirmation("do you want to clear the logs") then
  • shell.clear_logs
  • end if
  • shell.start_terminal
  • end function
  • import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
  • Thor.init(Command, "hack")
libs/scan.src
  • lmap = function(list, func)
  • result = list[0:] //list copy.
  • for i in indexes(list)
  • result[i] = func(result[i])
  • end for
  • return result
  • end function
  • _or = function(value1, value2)
  • if value1 == null or value1 == false then
  • return value2
  • end if
  • return value1
  • end function
  • // converts scan_address output to a list easier to process
  • // usage example:
  • // mem_scan = metaxploit.scan_address(metaLib, entry)
  • // mem_scan = mem_scan_exploits(mem_scan)
  • mem_scan_exploits = function(mem_scan)
  • ex_list = []
  • while true
  • ex_mark = mem_scan.indexOf("<b>")
  • if ex_mark == null then break
  • // get exploit value
  • ex_mark_end = mem_scan.indexOf("</b>")
  • value = slice(mem_scan, ex_mark+3, ex_mark_end)
  • // get requirements
  • mem_scan = mem_scan[ex_mark_end+5:]
  • mem_scan = mem_scan[mem_scan.indexOf(".")+1:]
  • mem_scan_lines = mem_scan.split(char(10))[1:]
  • if mem_scan_lines[0].indexOf("*") != null then
  • req = mem_scan_lines[:mem_scan_lines.indexOf("")]
  • else
  • req = []
  • end if
  • if req.len >= 1 then
  • mem_scan = mem_scan[mem_scan.indexOf(req[-1])+req[-1].len+1:]
  • end if
  • exploit = [value, req]
  • //["exploit_name": ["requirement", "requirement"]]
  • ex_list.push(exploit)
  • end while
  • return ex_list
  • //[
  • // {"exploit_name": ["requirement", "requirement"]},
  • // {"exploit_name": ["requirement", "requirement"]}
  • //]
  • end function
  • ScanExploitResult = {}
  • // ScanExploitResult.obj : result obj
  • // ScanExploitResult.info : string containing result info
  • ScanExploitResult.attrs = ["obj", "info"]
  • ScanExploitResult.init = function(obj, extra_param = null)
  • self.obj = obj
  • self.extra_param = extra_param
  • end function
  • ScanExploitResult.check_user = function(computer)
  • if not computer.File("/home/guest").has_permission("w") then return "unknown"
  • if computer.touch("/home/guest", "anonymous.dat") then
  • file = computer.File("/home/guest/anonymous.dat")
  • return file.owner
  • end if
  • return "unknown"
  • end function
  • ScanExploitResult.check_permissions = function(computer)
  • out = ""
  • c_home = computer.File("/home")
  • if c_home != null and c_home.has_permission("r") then
  • out = out + " /home"
  • end if
  • c_passwd = computer.File("/etc/passwd")
  • if c_passwd != null and c_passwd.has_permission("r") then
  • out = out + " /etc/passwd"
  • end if
  • c_libs = computer.File("/lib")
  • if c_libs != null and c_libs.has_permission("r") then
  • out = out + " /lib"
  • end if
  • if out != "" then
  • out = "permission on" + out
  • end if
  • return out
  • end function
  • ScanExploitResult.set_info = function(extra_param = null)
  • out = ""
  • type = typeof(self.obj)
  • if type == "file" then
  • if self.obj.is_folder then
  • out = "folder"
  • end if
  • permission = " without permission"
  • if self.obj.has_permission("r") then permission = " with permission"
  • out = out + permission
  • out = out + " " + self.obj.path
  • end if
  • if type == "shell" or type == "computer" then
  • comp = self.obj
  • if type == "shell" then comp = self.obj.host_computer
  • user = self.check_user(comp)
  • out = out + user + " user"
  • out = out + " " + self.check_permissions(comp)
  • end if
  • if type == "number" then
  • out = out + self.obj
  • if extra_param == null then extra_param = "null"
  • out = out + " extra_param: " + extra_param
  • end if
  • self.info = out
  • end function
  • ScanExploit = {}
  • // ScanExploit.address : "0x62AC77E1"
  • // ScanExploit.value : "applyund"
  • // ScanExploit.requirements : ["* req1", "* req2"]
  • // ScanExploit.result :shell, computer, number, null, file object
  • // ScanExploit.result_class : result obj wrapped in a class with some useful methods
  • ScanExploit.attrs = ["requirements_len", "result"]
  • ScanExploit.init = function(scan, options)
  • self.scan = scan
  • self.address = options.address
  • self.value = options.value
  • self.requirements = options.requirements
  • self.requirements_len = self.requirements.len
  • end function
  • ScanExploit.set_result = function(extra_param = null)
  • result = self.scan.meta_lib.overflow(self.address, self.value)
  • if result == null then
  • if extra_param != null and extra_param != "" then
  • result = self.scan.meta_lib.overflow(self.address, self.value, extra_param)
  • end if
  • end if
  • self.result = result
  • self.result_class = new ScanExploitResult
  • self.result_class.init(result)
  • self.result_class.set_info(extra_param)
  • self.set_result_callback
  • end function
  • ScanExploit.set_result_callback = function()
  • end function
  • Scan = {}
  • Scan.attrs = ["ip", "port", "lib_version", "lib_name"]
  • Scan.lib_path = null
  • Scan.lib_file = null
  • Scan.show_null = false
  • Scan.shell = get_shell
  • Scan.computer = Scan.shell.host_computer
  • // Scan.lib_file = null : local libe, set when scanning a local lib
  • // Scan.net_session : remote lib, set when scaning a remote ip
  • // Scan.metaxploit : required metaxploit lib obj
  • // Scan.meta_lib : set after running execute method
  • // Scan.lib_name : set after running execute method
  • // Scan.lib_version : set after running execute method
  • // Scan.exploits : list of all exploits found, set after execute method
  • Scan.init = function(ip, port)
  • self.ip = ip
  • self.port = port
  • if self.ip != null then
  • self.net_session = _or(self.metaxploit.net_use(self.ip, self.port), self.metaxploit.net_use(self.ip))
  • else
  • self.lib_file = self.computer.File(self.lib_path)
  • end if
  • self.set_lib
  • end function
  • Scan.set_lib = function()
  • if self.lib_file != null then
  • self.meta_lib = metaxploit.load(self.lib_file.path)
  • else
  • self.meta_lib = self.net_session.dump_lib
  • end if
  • self.lib_name = self.meta_lib.lib_name
  • self.lib_version = self.meta_lib.version
  • end function
  • Scan.execute = function()
  • self.addresses = self.metaxploit.scan(self.meta_lib)
  • // ["0x62AC77E1", "0x50D166E8", "0x611B6063", "0x1A9FD00C"]
  • self.get_exploits
  • end function
  • Scan.get_exploits = function()
  • scope = self
  • get_values = function(address)
  • exploits_text = scope.metaxploit.scan_address(scope.meta_lib, address)
  • exploits_values = mem_scan_exploits(exploits_text)
  • return [address, exploits_values]
  • end function
  • self.exploits = lmap(self.addresses, @get_values)
  • // [0x611B6063, [[applyund, [* req1, * req2]], ...], ...], ...}]
  • result = []
  • for exploit_values in self.exploits
  • for value in exploit_values[1]
  • exploit = new ScanExploit
  • exploit.init(self, {"address": exploit_values[0], "value": value[0], "requirements": value[1]})
  • result.push(exploit)
  • end for
  • end for
  • return result
  • //self.exploits = []
  • end function