metaxploit = include_lib(home_dir + "/metaxploit.so")
if not metaxploit then
metaxploit = include_lib("/lib/metaxploit.so")
end if
if not metaxploit then exit("<color=#ff0000>Error: Unable to find 'metaxploit.so'. Put missing library in the 'lib' folder.</color>")
help = "Usage: scanner [ip_address or lib_path]:(port optinal) -e=extra_param --show-null"
if params.len == 0 or params.len > 3 or params[0] == "-h" or params[0] == "--help" then exit(help)
options = []
extra_param = null
show_null = false
for param in params
if param[0] == "-" then
params.remove(params.indexOf(param))
options.push(param)
end if
end for
for option in options
if option.indexOf("-e") != null then
extra_param = option[option.indexOf("-e")+3:]
end if
if option.indexOf("--show-null") != null then
show_null = true
end if
end for
net_session = null
libFile = null
ip = null
port = null
if params[0].split(".").len != 4 then
libFile = get_shell.host_computer.File(params[0])
if not libFile then exit("can't find library: " + params[0])
else
url = params[0].split(":")
net_session = metaxploit.net_use(url[0])
ip = url[0]
if url.len > 1 then
port = url[1]
net_session = metaxploit.net_use(url[0], url[1].to_int)
end if
if not net_session then exit("<color=#ff0000>Error: Unable to connect.</color>")
end if
mem_scan_exploits = function(mem_scan)
ex_list = []
while true
ex_mark = mem_scan.indexOf("<b>")
if ex_mark == null then break
// get exploit value
ex_mark_end = mem_scan.indexOf("</b>")
value = slice(mem_scan, ex_mark+3, ex_mark_end)
// get requirements
mem_scan = mem_scan[ex_mark_end+5:]
mem_scan = mem_scan[mem_scan.indexOf(".")+1:]
mem_scan_lines = mem_scan.split("\n")[1:]
if mem_scan_lines[0].indexOf("*") != null then
req = mem_scan_lines[:mem_scan_lines.indexOf("")]
else
req = []
end if
//print(mem_scan)
if req.len >= 1 then
mem_scan = mem_scan[mem_scan.indexOf(req[-1])+req[-1].len+1:]
end if
exploit = [value, req]
ex_list.push(exploit)
end while
return ex_list
end function
try_exploit = function(entry, exploit)
result = metaLib.overflow(entry, exploit)
if result == null then
if extra_param != null and extra_param != "" then
result = metaLib.overflow(entry, exploit, extra_param)
end if
end if
return [result, extra_param]
end function
check_user = function(computer)
root = computer.change_password("guest", "1234")
//root_folder = computer.File("/root")
if root == true then
return "root"
else
return "guest"
end if
end function
check_permissions = function(computer)
out = ""
c_home = computer.File("/home")
if c_home != null and c_home.has_permission("r") then
out = out + " <color=green>home</color>"
//else
//out = out + " without permission on home"
end if
c_passwd = computer.File("/etc/passwd")
if c_passwd != null and c_passwd.has_permission("r") then
out = out + " <color=red>passwd</color>"
//else
//out = out + " without permission on passwd"
end if
c_libs = computer.File("/lib")
if c_libs != null and c_libs.has_permission("r") then
out = out + " <color=green>lib</color>"
//else
//out = out + " without permission on passwd"
end if
if out != "" then
out = " <color=green>permission on</color>" + out
end if
return out
end function
exploit_result_info = function(result)
extra_param = result[1]
result = result[0]
type = typeof(result)
out = type
if type == "file" then
if result.is_folder then
out = "folder"
end if
if result.has_permission("r") then
out = out + " <color=green>with permission</color>"
else
out = out + " without permission"
end if
out = out + " " + result.path
end if
if type == "shell" then
out = "<color=green>shell</color>"
user = check_user(result.host_computer)
if user == "root" then
out = out + " <color=red>root</color>"
else
out = out + " not root " + user
end if
out = out + check_permissions(result.host_computer)
end if
if type == "computer" then
out = "<color=green>computer</color>"
user = check_user(result)
if user == "root" then
out = out + " <color=red>root</color>"
else
out = out + " not root " + user
end if
out = out + check_permissions(result)
end if
if type == "number" then
if result == 1 then
out = "<color=green>number</color>"
else
out = "number"
end if
out = out + " extra_param: " + extra_param
end if
return out
end function
// code /////////////////////////////////////////////
if libFile != null then
metaLib = metaxploit.load(libFile.path)
else
metaLib = net_session.dump_lib
end if
print("<b>"+metaLib.lib_name+" v"+metaLib.version+"</b>")
lib_scan = metaxploit.scan(metaLib)
exploits = []
for entry in lib_scan
mem_scan = metaxploit.scan_address(metaLib, entry)
entry_exploits = mem_scan_exploits(mem_scan)
//print("<b>"+i+" "+entry+"</b>")
for exploit in entry_exploits
print("<color=white>"+entry+" "+exploit[0]+"</color>"+"\n")
print(exploit[1].join("\n")+"\n")
result = try_exploit(entry, exploit[0])
exploit.push(result)
exploit.push(entry)
exploits.push(exploit)
print(exploit_result_info(exploit[2]))
print("\n")
end for
end for
print("-" * 45 + "\n\n")
for exploit in exploits
if show_null != true and typeof(exploit[2][0]) == "null" then
continue
end if
print("<color=white>"+exploit[3]+" "+exploit[0]+"</color>")
for req in exploit[1]
print(" "+req)
end for
if exploit[1].len == 0 then
print(" * no requirements")
end if
print(exploit_result_info(exploit[2]))
end for
print("<b>"+metaLib.lib_name+" v"+metaLib.version+"</b>")
print("probe "+params[0])
if extra_param != null then print("-e="+extra_param)