Grey Repo

Files

setup.src libs/meta.src src/shell.src src/machine.src cli/searchMails.src

setup.src

import_code("/home/me/h/libs/list.src")
import_code("/home/me/h/libs/disk.src")
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/libs/passwords.src")
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/src/shell.src") // extend map
get_import_paths = function(code)
lines = code.split(char(10))
r = []
for l in lines
if l.indexOf("import_code" + "(""") != null then r.push(l.split("""")[1])
end for
return r
end function
check_sum_source = function(code)
comp = get_shell.host_computer
codes = [code]
for s in get_import_paths(code)
codes.push comp.File(s).get_content
end for
return md5(codes.join(""))
end function
comp = get_shell.host_computer
print "setup hacking script"
comp.File("/home/me/h/src/tableAttack.src").copy(home_dir + "/Config", "tableAttack.src")
comp.File("/home/me/h/src/rserverInstaller.src").copy(home_dir + "/Config", "rserverInstaller.src")
//get_shell.host_computer.touch(home_dir + "/Config", "emptyLog")
print "compiling cli tools"
comp.create_folder(home_dir, "vegaTools")
while true
comp.touch(home_dir, ".vega_watch")
watch_file = comp.File(home_dir + "/.vega_watch")
watch_data = {}
f = function(o)
return o.split("=")
end function
if watch_file.get_content.len > 1 then watch_data = watch_file.get_content.split(char(10)).map(@f).to_map
for f in comp.File("/home/me/h/cli").get_files
if watch_data.hasIndex(f.name) == false then watch_data[f.name] = check_sum_source(f.get_content)
compiled_script = comp.File(home_dir + "/vegaTools/" + f.name[:-4])
if watch_data[f.name] != check_sum_source(f.get_content) or compiled_script == null then
print "compiling " + f.name
f.copy(home_dir + "/vegaTools", f.name)
b = get_shell.build(home_dir + "/vegaTools/" + f.name, home_dir + "/vegaTools")
if b.len > 0 then print(f.name + " error: <color=red>" + b + "</color>")
comp.File(home_dir + "/vegaTools/" + f.name).delete
watch_data[f.name] = check_sum_source(f.get_content)
end if
end for
f = function(o)
return o[0] + "=" + o[1]
end function
watch_file.set_content watch_data.to_list.map(@f).join(char(10))
if params.hasIndex(0) == false or params[0] != "-w" then break
end while
// get bounce vulnerable router lib
print("getting bounce vulnerable router lib")
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
if comp.File(home_dir + "/Config/routerBouncerLib/kernel_router.so") == null then
while true
machine = new Machine
machine.init(rnd_ip)
machine.router_service.set_exploits
shell = machine.router_service.quick_root_shell
if typeof(shell) != "shell" then continue
if machine.router_service.get_bounce_exploits.len > 0 then
get_shell.host_computer.create_folder(home_dir + "/Config", "routerBouncerLib")
shell.scp("/lib/kernel_router.so", home_dir + "/Config/routerBouncerLib", get_shell)
break
end if
end while
end if
Disk.init(home_dir + "/Config", "passwords")
// setup passwords db
if Disk.read_chars.len > 0 then exit
if(Disk.blobs.len > 1) then exit("password generation setup already completed")
PasswordGenerator.init(PASSWORDS)
print "generating passwords, it will take a while"
HASH_TABLE=PasswordGenerator.AllPasswords
print "done"
print "parsing passwords obj"
f = function(o)
return o[1]
end function
pass_list = HASH_TABLE.to_list.map(@f)
print "done"
print "writing to disk"
Disk.write(pass_list.join(char(10)))
print "done"

libs/meta.src

Scoper = {}
~~Scoper.get_scope = function()~~
Scoper.get_scope = function(optional_locals_scope = null)
scope = {}
scope.map = map
scope.list = list
scope.number = number
scope.string = string
scope.globals = globals
if optional_locals_scope == null then
scope.locals = {}
else
scope.locals = optional_locals_scope
end if
return scope
end function
Scoper.shallow_copy = function(obj1, obj2)
for i in obj2.indexes
obj1[@i] = @obj2[@i]
end for
end function
Scoper.transfer_scope = function(scope)
self.shallow_copy(map, scope.map)
self.shallow_copy(list, scope.list)
self.shallow_copy(number, scope.number)
self.shallow_copy(string, scope.string)
self.shallow_copy(globals, scope.globals)
end function
Meta = {}
Meta.shell = get_shell
Meta.computer = Meta.shell.host_computer
// PREPEND_MARK
~~Meta.prepend_code = "get_scope = function()~~
Meta.prepend_code = "get_scope = function
scope = {}
scope.map = map
scope.list = list
scope.number = number
scope.string = string
scope.globals = globals
return scope
end function
shallow_copy = function(obj1, obj2)
for i in obj2.indexes
obj1[@i] = @obj2[@i]
end for
end function
transfer_scope = function(scope)
shallow_copy(map, scope.map)
shallow_copy(list, scope.list)
shallow_copy(number, scope.number)
shallow_copy(string, scope.string)
shallow_copy(globals, scope.globals)
for obj in scope.locals
globals[""M"" + obj.key] = obj.value
end for
end function
parent_scope = get_custom_object.parent_scope
transfer_scope(parent_scope)
"
// APPEND_MARK
~~Meta.append_code = "get_custom_object.child_scope = get_scope"~~
Meta.append_code = "
get_custom_object.child_scope = get_scope"
// required options:
// build_full_path, example /home/me/evals/evalscript.src
Meta.init = function(build_full_path = "/home/guest/evalscript.src")
self.build_full_path = build_full_path
self.build_path = self.build_full_path.split("/")[0:-1].join("/")
self.build_name = self.build_full_path.split("/")[-1]
self.build_bin_name = self.build_name.split(".")[0]
self.build_bin_full_path = self.build_path + "/" + self.build_bin_name
end function
~~Meta.eval = function(code)~~
Meta.eval = function(code, optional_locals_scope = null)
eval_script_code = self.prepend_code + char(10) + code + char(10) + self.append_code
self.computer.touch(self.build_path, self.build_name)
eval_script = self.computer.File(self.build_full_path)
eval_script.set_content(eval_script_code)
compiler_out = get_shell.build(self.build_full_path, self.build_path)
if compiler_out then
print compiler_out
return
end if
~~get_custom_object.parent_scope = Scoper.get_scope~~
get_custom_object.parent_scope = Scoper.get_scope(optional_locals_scope)
get_shell.launch(self.build_bin_full_path)
if get_custom_object.hasIndex("child_scope") then Scoper.transfer_scope(get_custom_object.child_scope)
end function
~~Meta.console = function()~~
Meta.console = function(optional_locals_scope = null)
prompt_code = function(line = 0)
code = user_input("igs("+line+")> ")
if code == "continue" then return 0
if code.len > 0 and code.values[-1] == char(92) then
~~return code[0:-1] + char(10) + prompt_code(line + 1)~~
return code[0:-1] + char(10) + prompt_code(line + 1)
end if
return code
end function
while true
arbitrary_code = prompt_code
if not arbitrary_code then return
~~self.eval(arbitrary_code)~~
self.eval(arbitrary_code, optional_locals_scope)
end while
end function

src/shell.src

// extend shell objs
map.clear_logs = function
get_shell.host_computer.touch(home_dir + "/Config", "emptyLog")
empty_log_path = home_dir + "/Config/emptyLog"
if typeof(self) != "shell" then
print "<color=red>error obj is not an shell</color>"
exit "<color=red>error obj is not an shell</color>"
end if
shell = self
comp = shell.host_computer
new_log_name = empty_log_path.split("/")[-1]
get_shell.scp(empty_log_path, "/var", shell)
new_log_file = comp.File("/var/"+new_log_name)
copy_out = new_log_file.copy("/var", "system.log")
if copy_out != 1 then print copy_out
new_log_file.rename(".log")
return shell
end function
map.install_rserver = function
installer_script = get_shell.host_computer.File(home_dir + "/Config/rserverInstaller.src")
if typeof(self) != "shell" then
print "<color=red>error obj is not an shell</color>"
exit "<color=red>error obj is not an shell</color>"
end if
shell = self
comp = shell.host_computer
if comp.File("/home/guest/rinstaller.src") != null then
comp.File("/home/guest/rinstaller.src").delete
end if
comp.touch("/home/guest", "rinstaller.src")
comp.File("/home/guest/rinstaller.src").set_content(installer_script.get_content)
print "building installer"
shell.build("/home/guest/rinstaller.src", "/home/guest")
shell.launch("/home/guest/rinstaller")
return shell
~~end function~~
end function
map.escalate_npc_to_root = function(machine = null)
if machine == null then machine = Machine
if typeof(self) != "shell" then
exit "<color=red>error obj is not an shell</color>"
end if
attack_script = machine.TABLEATTACK_SCRIPT
remote_shell = self
remote_comp = self.host_computer
if machine.skip_logging == false then
key = remote_comp.public_ip + "|" + remote_comp.local_ip
machine.credentials_db.reload
if machine.credentials_db.obj.hasIndex(key) then
get_custom_object.saved_password = machine.credentials_db.obj[key].password
end if
end if
if remote_comp.File("/home/guest/tableAttack.src") != null then
remote_comp.File("/home/guest/tableAttack.src").delete
end if
remote_comp.touch("/home/guest", "tableAttack.src")
remote_comp.File("/home/guest/tableAttack.src").set_content(attack_script.get_content)
print "building script"
remote_shell.build("/home/guest/tableAttack.src", "/home/guest")
remote_shell.launch("/home/guest/tableAttack")
if machine.skip_logging == false then
// save credentials in a db
machine.credentials_db.reload
pas = get_custom_object.password
if pas == null then pas = ""
key = remote_comp.public_ip + "|" + remote_comp.local_ip
machine.credentials_db.obj[key] = {"user": "root", "password": pas}
machine.credentials_db.save
end if
root_shell = get_custom_object.shell
return root_shell
end function

src/machine.src

MachineServices = {}
//class eval shit
exploits_inspect = function(obj, scope)
exploits_len = 0
if scope.hasIndex("exploits") then exploits_len = scope.exploits.len
return scope.exploits.len
end function
Service.attrs.push("exploits")
Service.load_exploits_from_cache = function()
exploits = self.machine.exploits_cache
if exploits.hasIndex(self.info_to_key) == 0 then return 0
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.exploits = []
for x in exploits[self.info_to_key]
exploit = new ScanExploit
exploit.init(self.scan, x)
self.exploits.push(exploit)
end for
return 1
end function
Service.load_exploits_from_scan = function()
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.scan.execute
self.exploits = self.scan.get_exploits
end function
Service.set_exploits = function()
// skip_if_no_cache scan_only_if_no_cache scan_everytime
if self.machine.scan_strategy == "scan_everytime" then
self.load_exploits_from_scan
else if self.machine.scan_strategy == "skip_if_no_cache" then
self.load_exploits_from_cache
else if self.machine.scan_strategy == "scan_only_if_no_cache" then
if self.load_exploits_from_cache == 0 then self.load_exploits_from_scan
end if
end function
// require passwords list set in custom_object
Service.quick_root_shell = function
attack_script = self.machine.TABLEATTACK_SCRIPT
for x in self.exploits
x.set_result
if typeof(x.result) != "shell" then continue
remote_shell = x.result
~~remote_comp = remote_shell.host_computer~~
~~if self.machine.skip_logging == false then~~
~~key = remote_comp.public_ip + "|" + remote_comp.local_ip~~
~~self.machine.credentials_db.reload~~
~~if self.machine.credentials_db.obj.hasIndex(key) then~~
~~get_custom_object.saved_password = self.machine.credentials_db.obj[key].password~~
~~end if~~
~~end if~~
~~// escalate to root~~
~~if remote_comp.File("/home/guest/tableAttack.src") != null then~~
~~remote_comp.File("/home/guest/tableAttack.src").delete~~
~~end if~~
~~remote_comp.touch("/home/guest", "tableAttack.src")~~
~~remote_comp.File("/home/guest/tableAttack.src").set_content(attack_script.get_content)~~
~~print "building script"~~
~~remote_shell.build("/home/guest/tableAttack.src", "/home/guest")~~
remote_shell.launch("/home/guest/tableAttack")
root_shell = remote_shell.escalate_npc_to_root(self.machine)
~~if self.machine.skip_logging == false then~~
~~// save credentials in a db~~
~~self.machine.credentials_db.reload~~
~~pas = get_custom_object.password~~
~~if pas == null then pas = ""~~
~~key = remote_comp.public_ip + "|" + remote_comp.local_ip~~
~~self.machine.credentials_db.obj[key] = {"user": "root", "password": pas}~~
~~self.machine.credentials_db.save~~
~~end if~~
~~root_shell = get_custom_object.shell~~
return root_shell
end for
return null
end function
Service.get_bounce_exploits = function()
// find computer bounce exploits
// https://discord.com/channels/415878436104437770/547090551539761153/1083217371365384273
if self.port != null then print("Service.get_bounce_exploits: WANING THIS IS NOT A ROUTER")
router_ips = self.machine.nmap.router.devices_lan_ip
exploits = []
for x in self.exploits
is_bounce = false
if x.set_result != null then continue
x.set_result router_ips[-1]
if typeof(x.result) == "computer" then
exploits.push x
continue
end if
end for
return exploits
end function
ScanExploit.set_result_callback = function()
// save entry
if typeof(self.result) != "shell" then return
if self.scan.machine.skip_logging == true then return
self.scan.machine.entries_db.reload
key = self.scan.machine.entries_db.obj.indexes.len
entry = {}
entry.local_ip = self.result.host_computer.local_ip
entry.public_ip = self.result.host_computer.public_ip
entry.exploit = {"address": self.address, "value": self.value, "port": str(self.scan.port)}
self.scan.machine.entries_db.obj[key] = entry
self.scan.machine.entries_db.save
end function
Machine = {}
Machine.exploits_cache = function
return self.exploits_db.get
end function
//Machine.passwords_list : required passwords list
//Machine.table_attack_script : required table attack script
Machine.services_inspect = function(obj, scope)
f = function(o)
exploits_len = 0
if o.hasIndex("exploits") then exploits_len = o.exploits.len
return o.inspect(["info", [exploits_len, "exploits_len"], "port"])
end function
return scope.services.map(@f)
end function
Machine.attrs = ["ip", [@Machine.services_inspect, "services"]]
Machine.metaxploit = null //required
Machine.config_path = home_dir + "/Config"
Machine.shell = get_shell
Machine.computer = Machine.shell.host_computer
Machine.skip_logging = false
// skip_if_no_cache scan_only_if_no_cache scan_everytime
Machine.scan_strategy = "scan_only_if_no_cache"
Machine.setup_disks = function
print "initiating databases"
Machine.PASSWORDS_DISK = new Disk
Machine.PASSWORDS_DISK.init(self.config_path, "passwords")
Machine.EXPLOITS_DISK = new Disk
Machine.EXPLOITS_DISK.init(self.config_path, "exploits")
if self.skip_logging == false then
Machine.ENTRIES_DISK = new Disk
Machine.ENTRIES_DISK.init(self.config_path, "entries")
Machine.CREDENTIALS_DISK = new Disk
Machine.CREDENTIALS_DISK.init(self.config_path, "credentials")
end if
print "finished"
end function
Machine.setup_disks
Machine.init = function(ip)
self.TABLEATTACK_SCRIPT = self.computer.File(self.config_path + "/tableAttack.src")
self.ip = ip
self.set_services
if self.scan_strategy != "scan_everytime" then
self.exploits_db = new DocDB
self.exploits_db.init(self.EXPLOITS_DISK)
end if
if self.skip_logging == false then
self.entries_db = new DocDB
self.entries_db.init(self.ENTRIES_DISK)
self.credentials_db = new DocDB
self.credentials_db.init(self.CREDENTIALS_DISK)
end if
if not get_custom_object.hasIndex("passwords") then
print "reading passwords database"
self.passwords = self.PASSWORDS_DISK.read_chars.split(char(10))
get_custom_object.passwords = self.passwords
print "finished"
end if
end function
Machine.save_exploits = function()
self.exploits_db.reload
for s in self.services
key = s.info_to_key
exploits = []
if s.hasIndex("exploits") == 0 then continue
for x in s.exploits
x_obj = {}
x_obj["address"] = x.address
x_obj["value"] = x.value
x_obj["requirements"] = x.requirements
x_obj["requirements_len"] = x.requirements_len
if x.hasIndex("result") == 1 then x_obj["result"] = typeof(x.result)
exploits.push x_obj
end for
self.exploits_db.obj[key] = exploits
self.exploits_db.save
end for
end function
Machine.quick_attack = function(only_routers = true)
target_services = self.services
if only_routers == true then
target_services = [self.router_service]
end if
for service in target_services
service.set_exploits
root_shell = service.quick_root_shell
if typeof(root_shell) == "shell" then return root_shell
end for
return null
end function
Machine.set_services = function()
self.nmap = new Nmap
self.nmap.init(self.ip)
self.nmap.machine = self
self.services = self.nmap.services
for s in self.services
s.machine = self
end for
end function
Machine.router_service = function()
for s in self.services
if s.port == null then return s
end for
return null
end function
Machine.open_services = function()
f = function(o)
return o.status == "open"
end function
return self.services.select(@f)
end function

cli/searchMails.src

import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/libs/optionSelector.src") // exports option_selector
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/src/shell.src") // extend map
import_code("/home/me/h/libs/meta.src") // extend Meta
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.searchMails_sig = {}
Command.searchMails_sig["description"] = "target router bounce exploits to get mails"
Command.searchMails_sig["args"] = ["ip*"]
Command.searchMails_sig["options"] = []
next_ip = function(ip)
numbers = ip.split(".")
numbers[-1] = numbers[-1].to_int + 1
return numbers.join(".")
end function
Command.searchMails = function(args = [], options = {})
machine = new Machine
machine.init(args[0])
machine.scan_strategy = "scan_everytime"
router_ips = machine.nmap.router.devices_lan_ip
//p machine.router_service
p machine.router_service.info
~~// find computer bounce exploits~~
~~exploits = []~~
machine.router_service.set_exploits
for x in machine.router_service.exploits
~~for i in router_ips~~
~~x.set_result next_ip(i)~~
~~if typeof(x.result) == "computer" then~~
~~exploits.push x~~
~~break~~
~~end if~~
~~end for~~
~~end for~~
~~p exploits.inspect(["value", "address"])~~
exploits = machine.router_service.get_bounce_exploits
if exploits.len == 0 then
print "<color=yellow>no bounce attacks found</color>"
print "<color=yellow>hacking router to install vulnerable router lib</color>"
sh = machine.router_service.quick_root_shell
if sh == null then exit("hopeless, cant get shell on the shell")
get_shell.scp(home_dir + "/Config/routerBouncerLib/kernel_router.so", "/lib", sh)
machine.router_service.set_exploits
exploits = machine.router_service.get_bounce_exploits
end if
// war dial ips
computers = []
for x in exploits
for ip in router_ips
for i in range(10)
ip = next_ip(ip)
x.set_result(ip)
if typeof(x.result) == "computer" then computers.push x.result
end for
end for
end for
creds = []
mails = []
banks = []
for c in computers
passwdfile = c.File("/etc/passwd")
if passwdfile.has_permission("r") then
passwdfile = passwdfile.get_content.replace(char(10), " from " + c.local_ip + char(10))
creds = passwdfile.split(char(10))
end if
for user_home in c.File("/home").get_folders
mail_file = c.File("/home/" + user_home.name + "/Config/Mail.txt")
bank_file = c.File("/home/" + user_home.name + "/Config/Bank.txt")
if mail_file then mails.push mail_file.get_content + " from " + c.local_ip
if bank_file then banks.push bank_file.get_content + " from " + c.local_ip
end for
end for
mails = mails.uniq
banks = banks.uniq
print "CREDENTIALS"
print creds.join(char(10))
print "BANKS"
print banks.join(char(10))
print "MAILS"
print mails.join(char(10))
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "searchMails")