lmap = function(list, func)
result = list[0:] //list copy.
for i in indexes(list)
result[i] = func(result[i])
end for
return result
end function
_or = function(value1, value2)
if value1 == null or value1 == false then
return value2
end if
return value1
end function
// converts scan_address output to a list easier to process
// usage example:
// mem_scan = metaxploit.scan_address(metaLib, entry)
// mem_scan = mem_scan_exploits(mem_scan)
mem_scan_exploits = function(mem_scan)
ex_list = []
while true
ex_mark = mem_scan.indexOf("<b>")
if ex_mark == null then break
// get exploit value
ex_mark_end = mem_scan.indexOf("</b>")
value = slice(mem_scan, ex_mark+3, ex_mark_end)
// get requirements
mem_scan = mem_scan[ex_mark_end+5:]
mem_scan = mem_scan[mem_scan.indexOf(".")+1:]
mem_scan_lines = mem_scan.split(char(10))[1:]
if mem_scan_lines[0].indexOf("*") != null then
req = mem_scan_lines[:mem_scan_lines.indexOf("")]
else
req = []
end if
if req.len >= 1 then
mem_scan = mem_scan[mem_scan.indexOf(req[-1])+req[-1].len+1:]
end if
exploit = [value, req]
//["exploit_name": ["requirement", "requirement"]]
ex_list.push(exploit)
end while
return ex_list
//[
// {"exploit_name": ["requirement", "requirement"]},
// {"exploit_name": ["requirement", "requirement"]}
//]
end function
ScanExploitResult = {}
// ScanExploitResult.obj : result obj
// ScanExploitResult.info : string containing result info
ScanExploitResult.attrs = ["obj", "info"]
ScanExploitResult.init = function(obj, extra_param = null)
self.obj = obj
self.extra_param = extra_param
end function
ScanExploitResult.check_user = function(computer)
if computer.touch("/home/guest", "anonymous.dat") then
file = computer.File("/home/guest/anonymous.dat")
return file.owner
end if
return "unknown"
end function
ScanExploitResult.check_permissions = function(computer)
out = ""
c_home = computer.File("/home")
if c_home != null and c_home.has_permission("r") then
out = out + " /home"
end if
c_passwd = computer.File("/etc/passwd")
if c_passwd != null and c_passwd.has_permission("r") then
out = out + " /etc/passwd"
end if
c_libs = computer.File("/lib")
if c_libs != null and c_libs.has_permission("r") then
out = out + " /lib"
end if
if out != "" then
out = "permission on" + out
end if
return out
end function
ScanExploitResult.set_info = function(extra_param = null)
out = ""
type = typeof(self.obj)
if type == "file" then
if self.obj.is_folder then
out = "folder"
end if
permission = " without permission"
if self.obj.has_permission("r") then permission = " with permission"
out = out + permission
out = out + " " + self.obj.path
end if
if type == "shell" or type == "computer" then
comp = self.obj
if type == "shell" then comp = self.obj.host_computer
user = self.check_user(comp)
out = out + user + " user"
out = out + " " + self.check_permissions(comp)
end if
if type == "number" then
out = out + self.obj
if extra_param == null then extra_param = "null"
out = out + " extra_param: " + extra_param
end if
self.info = out
end function
ScanExploit = {}
// ScanExploit.address : "0x62AC77E1"
// ScanExploit.value : "applyund"
// ScanExploit.requirements : ["* req1", "* req2"]
// ScanExploit.result :shell, computer, number, null, file object
// ScanExploit.result_class : result obj wrapped in a class with some useful methods
ScanExploit.attrs = ["requirements_len", "result"]
ScanExploit.init = function(scan, options)
self.scan = scan
self.address = options.address
self.value = options.value
self.requirements = options.requirements
self.requirements_len = self.requirements.len
end function
ScanExploit.set_result = function(extra_param = null)
result = self.scan.meta_lib.overflow(self.address, self.value)
if result == null then
if extra_param != null and extra_param != "" then
result = self.scan.meta_lib.overflow(self.address, self.value, extra_param)
end if
end if
self.result = result
self.result_class = new ScanExploitResult
self.result_class.init(result)
self.result_class.set_info(extra_param)
end function
Scan = {}
Scan.attrs = ["ip", "port", "lib_version", "lib_name"]
Scan.lib_path = null
Scan.lib_file = null
Scan.show_null = false
Scan.shell = get_shell
Scan.computer = Scan.shell.host_computer
// Scan.lib_file = null : local libe, set when scanning a local lib
// Scan.net_session : remote lib, set when scaning a remote ip
// Scan.metaxploit : required metaxploit lib obj
// Scan.meta_lib : set after running execute method
// Scan.lib_name : set after running execute method
// Scan.lib_version : set after running execute method
// Scan.exploits : list of all exploits found, set after execute method
Scan.init = function(ip, port)
self.ip = ip
self.port = port
if self.ip != null then
self.net_session = _or(self.metaxploit.net_use(self.ip, self.port), self.metaxploit.net_use(self.ip))
else
self.lib_file = self.computer.File(self.lib_path)
end if
self.set_lib
end function
Scan.set_lib = function()
if self.lib_file != null then
self.meta_lib = metaxploit.load(self.lib_file.path)
else
self.meta_lib = self.net_session.dump_lib
end if
self.lib_name = self.meta_lib.lib_name
self.lib_version = self.meta_lib.version
end function
Scan.execute = function()
self.addresses = self.metaxploit.scan(self.meta_lib)
// ["0x62AC77E1", "0x50D166E8", "0x611B6063", "0x1A9FD00C"]
self.get_exploits
end function
Scan.get_exploits = function()
scope = self
get_values = function(address)
exploits_text = scope.metaxploit.scan_address(scope.meta_lib, address)
exploits_values = mem_scan_exploits(exploits_text)
return [address, exploits_values]
end function
self.exploits = lmap(self.addresses, @get_values)
// [0x611B6063, [[applyund, [* req1, * req2]], ...], ...], ...}]
result = []
for exploit_values in self.exploits
for value in exploit_values[1]
exploit = new ScanExploit
exploit.init(self, {"address": exploit_values[0], "value": value[0], "requirements": value[1]})
result.push(exploit)
end for
end for
return result
//self.exploits = []
end function