001metaxploit = include_lib(home_dir + "/metaxploit.so")
002if not metaxploit then
003 metaxploit = include_lib("/lib/metaxploit.so")
004end if
005if not metaxploit then exit("<color=#ff0000>Error: Unable to find 'metaxploit.so'. Put missing library in the 'lib' folder.</color>")
006
007help = "Usage: scanner [ip_address or lib_path]:(port optinal) -e=extra_param --show-null"
008
009if params.len == 0 or params.len > 3 or params[0] == "-h" or params[0] == "--help" then exit(help)
010
011options = []
012extra_param = null
013show_null = false
014
015for param in params
016 if param[0] == "-" then
017 params.remove(params.indexOf(param))
018 options.push(param)
019 end if
020end for
021
022for option in options
023 if option.indexOf("-e") != null then
024 extra_param = option[option.indexOf("-e")+3:]
025 end if
026 if option.indexOf("--show-null") != null then
027 show_null = true
028 end if
029end for
030
031net_session = null
032libFile = null
033ip = null
034port = null
035
036if params[0].split(".").len != 4 then
037 libFile = get_shell.host_computer.File(params[0])
038 if not libFile then exit("can't find library: " + params[0])
039else
040 url = params[0].split(":")
041 net_session = metaxploit.net_use(url[0])
042 ip = url[0]
043 if url.len > 1 then
044 port = url[1]
045 net_session = metaxploit.net_use(url[0], url[1].to_int)
046 end if
047 if not net_session then exit("<color=#ff0000>Error: Unable to connect.</color>")
048end if
049
050mem_scan_exploits = function(mem_scan)
051 ex_list = []
052
053 while true
054 ex_mark = mem_scan.indexOf("<b>")
055 if ex_mark == null then break
056
057 ex_mark_end = mem_scan.indexOf("</b>")
059 value = slice(mem_scan, ex_mark+3, ex_mark_end)
060
061 mem_scan = mem_scan[ex_mark_end+5:]
063 mem_scan = mem_scan[mem_scan.indexOf(".")+1:]
064
065 mem_scan_lines = mem_scan.split("\n")[1:]
066 if mem_scan_lines[0].indexOf("*") != null then
067 req = mem_scan_lines[:mem_scan_lines.indexOf("")]
068 else
069 req = []
070 end if
071
072 if req.len >= 1 then
074 mem_scan = mem_scan[mem_scan.indexOf(req[-1])+req[-1].len+1:]
075 end if
076
077 exploit = [value, req]
078 ex_list.push(exploit)
079 end while
080
081 return ex_list
082end function
083
084try_exploit = function(entry, exploit)
085 result = metaLib.overflow(entry, exploit)
086 if result == null then
087 if extra_param != null and extra_param != "" then
088 result = metaLib.overflow(entry, exploit, extra_param)
089 end if
090 end if
091 return [result, extra_param]
092end function
093
094check_user = function(computer)
095 root = computer.change_password("guest", "1234")
096 if root == true then
098 return "root"
099 else
100 return "guest"
101 end if
102end function
103
104check_permissions = function(computer)
105 out = ""
106
107 c_home = computer.File("/home")
108 if c_home != null and c_home.has_permission("r") then
109 out = out + " <color=green>home</color>"
110 end if
113 c_passwd = computer.File("/etc/passwd")
114 if c_passwd != null and c_passwd.has_permission("r") then
115 out = out + " <color=red>passwd</color>"
116 end if
119 c_libs = computer.File("/lib")
120 if c_libs != null and c_libs.has_permission("r") then
121 out = out + " <color=green>lib</color>"
122 end if
125 if out != "" then
126 out = " <color=green>permission on</color>" + out
127 end if
128 return out
129end function
130
131exploit_result_info = function(result)
132 extra_param = result[1]
133 result = result[0]
134 type = typeof(result)
135 out = type
136 if type == "file" then
137 if result.is_folder then
138 out = "folder"
139 end if
140 if result.has_permission("r") then
141 out = out + " <color=green>with permission</color>"
142 else
143 out = out + " without permission"
144 end if
145 out = out + " " + result.path
146 end if
147 if type == "shell" then
148 out = "<color=green>shell</color>"
149 user = check_user(result.host_computer)
150 if user == "root" then
151 out = out + " <color=red>root</color>"
152 else
153 out = out + " not root " + user
154 end if
155 out = out + check_permissions(result.host_computer)
156 end if
157 if type == "computer" then
158 out = "<color=green>computer</color>"
159 user = check_user(result)
160 if user == "root" then
161 out = out + " <color=red>root</color>"
162 else
163 out = out + " not root " + user
164 end if
165 out = out + check_permissions(result)
166 end if
167 if type == "number" then
168 if result == 1 then
169 out = "<color=green>number</color>"
170 else
171 out = "number"
172 end if
173 out = out + " extra_param: " + extra_param
174 end if
175 return out
176end function
177
178
180if libFile != null then
181 metaLib = metaxploit.load(libFile.path)
182else
183 metaLib = net_session.dump_lib
184end if
185print("<b>"+metaLib.lib_name+" v"+metaLib.version+"</b>")
186
187lib_scan = metaxploit.scan(metaLib)
188
189exploits = []
190
191for entry in lib_scan
192 mem_scan = metaxploit.scan_address(metaLib, entry)
193 entry_exploits = mem_scan_exploits(mem_scan)
194 for exploit in entry_exploits
196 print("<color=white>"+entry+" "+exploit[0]+"</color>"+"\n")
197 print(exploit[1].join("\n")+"\n")
198 result = try_exploit(entry, exploit[0])
199 exploit.push(result)
200 exploit.push(entry)
201 exploits.push(exploit)
202 print(exploit_result_info(exploit[2]))
203 print("\n")
204 end for
205end for
206
207print("-" * 45 + "\n\n")
208for exploit in exploits
209 if show_null != true and typeof(exploit[2][0]) == "null" then
210 continue
211 end if
212 print("<color=white>"+exploit[3]+" "+exploit[0]+"</color>")
213 for req in exploit[1]
214 print(" "+req)
215 end for
216 if exploit[1].len == 0 then
217 print(" * no requirements")
218 end if
219
220 print(exploit_result_info(exploit[2]))
221end for
222
223print("<b>"+metaLib.lib_name+" v"+metaLib.version+"</b>")
224print("probe "+params[0])
225if extra_param != null then print("-e="+extra_param)
226
227
228
229
230