autoexploit.gs

// @author: Tom de Qu'est-ce que tu GEEKes ?
// This script takes a vulnerability json file as input.
// Gives obtained objects / accesses gained trying to exploit it.

//#import vuln.gs
//#import jsonparser.gs
//#import tools.gs

globals.vulnerabilitiesDirectoryName = "/home/" + active_user + "/vulnerabilities/"

if params.len < 1 or params[0] == "-h" or params[0] == "--help" then exit("<b>Usage: "+program_path.split("/")[-1]+"public_IP_address</b>")

ipVulnDirectory = "/home/" + active_user + "/vulnerabilities/" + params[0] + "/"

myshell = get_shell
computer = myshell.host_computer
vulnDirectory = computer.File(ipVulnDirectory)
if not vulnDirectory then exit("Error:IP Vulnerabilities not listed")
vulnFiles = vulnDirectory.get_files

getLib = function (file)
	if file.name.indexOf("kernel") > 0 then
		net_session = metaxploit.net_use(vuln.ExternalIpAddress)
	else
		net_session = metaxploit.net_use(vuln.ExternalIpAddress, vuln.portNumber)
	end if

	if not net_session then exit("Error: can't connect to net session")

	lib = net_session.dump_lib

	return lib
end function

checkChoice = function(choice, max)
	choice = choice.to_int
	if typeof(choice) != "number" then exit("Should be a number. " + typeof(choice) + " provided.") end if
	if choice >= max then exit ("Should be < " + max)
	if choice < 0 then exit ("Should be > " + 0)
	return choice
end function

libsToAttack = []
count = 0
for file in vulnFiles
	if file.name.indexOf("json") == null then
		libsToAttack.push(file.name.split(".so")[0])
		print(count + ". " + libsToAttack[count])
		count = count + 1
	end if
end for

choice = user_input("Which one do you want to try? >", false)
choice = checkChoice(choice, count)

libToAttack = libsToAttack[choice]

print("Attacking " + libToAttack + char(10))

vulnsAvailable = []

vulnCount = 0
for file in vulnFiles
	if file.name.indexOf(libToAttack) != 0 then
		continue
	end if

	if file.name.indexOf("json") > 0 then
		vuln = parse(file.content)
		vulnsAvailable.push(vuln)
		lib = getLib(file)
		print(vulnCount + ". " + vulnsAvailable[vulnCount].vulnUnsecValue)
		vulnCount = vulnCount + 1
	end if
end for

choice = user_input("Which one do you want to try? >", false)
choice = checkChoice(choice, vulnCount)
targetVuln = vulnsAvailable[choice]

print(char(10) + "Attacking " + targetVuln.libName +":" + targetVuln.libVersion + " at memory address: <b>" + targetVuln.vulnMemoryAddress + "</b> with value <b>" + targetVuln.vulnUnsecValue + "</b>")
res = lib.overflow(targetVuln.vulnMemoryAddress, targetVuln.vulnUnsecValue)
print("Object obtained: " + typeof(res))

if (typeof(res) == "null") then
	choice = user_input("Do you want to try with a payload ? Type the payload you want, 'no' otherwise. >", false)
	if (choice == "no") then
		exit("Try again with a different attack !")
	else
		res = lib.overflow(targetVuln.vulnMemoryAddress, targetVuln.vulnUnsecValue, choice)
		print("Object obtained: " + typeof(res))
	end if
end if

if (typeof(res) == "null") then
	exit ("Attack failed !")
end if

// auto attacks !

typeObject = typeof(res)
if(typeObject == "computer") then
	homeFolder = res.File("/home")
	if not homeFolder then exit("Error: /home folder not found")
	userFolders = homeFolder.get_folders
	found = false
	for userFolder in userFolders
		bankFile = res.File("/home/" + userFolder.name + "/Config/Bank.txt")
		if not bankFile then continue
		if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission denied")
		userPass = bankFile.content.split(":")
		print("Deciphering bank password for user: " + userFolder.name)
		password = decipherUserPassword(userPass)
		if not password then
			print("Nothing found...")
		else
			print("Bank account: " + userPass[0] +"\nBank Password: " + password)
			found = true
		end if

		mailFile = res.File("/home/" + userFolder.name + "/Config/Mail.txt")
		if not mailFile then continue
		if not mailFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
		userPass = mailFile.content.split(":")
		print("Deciphering mail password for user: " + userFolder.name)
		password = decipherUserPassword(userPass)
		if not password then
			print("Nothing found...")
		else
			print("Mail account: " + userPass[0] +"\nMail Password: " + password)
			found = true
		end if

	end for
if not found then print("No files found")
end if

if(typeObject == "shell") then
	res.start_terminal
end if

if(typeObject == "number") then
	print("Number result obtained: " + res)
end if

if(typeObject == "file") then
	if (res.is_folder) then
		print("File owner: " + res.owner)
		print(res.permissions + " " + res.name)
		files = res.get_files
		for file in files
			print(" " + file.permissions + " " + file.name)
		end for
	else
		print("File owner: " + res.owner)
		print(res.permissions + " " + res.name)
	end if
end if