目录
- 脚本源码
- 用法
- 效果及示例
版本:Grey Hack v0.7.3618 - Alpha
脚本源码
metaxploit = include_lib("/lib/metaxploit.so")
if not metaxploit thenmetaxploit = include_lib(current_path + "/metaxploit.so")
end if
if not metaxploit then exit("Error: Can't find metaxploit library in the /lib path or the current folder")resultMem = ""
resultKey = ""metaLib = metaxploit.load("/lib/net.so")
if metaLib then print("Founded " + metaLib.lib_name + " "+ metaLib.version)exploits = metaxploit.scan(metaLib)for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(metaLib, exploit).split("Unsafe check: ")[1:]for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = metaLib.overflow(exploit, target_key[3:-4])if typeof(result) == "shell" thenroot_file = result.host_computer.File("/root")if root_file.has_permission("w") thenresult.start_terminalelse if root_file.has_permission("r") thenresultMem = exploitresultKey = target_key[3:-4]elseif resultMem == "" then resultMem = exploitif resultKey == "" then resultKey = target_key[3:-4]end ifend ifend forend for
end ifmetaLib = []
metaLib = metaxploit.load("/lib/init.so")
if not metaLib then exit("Can't find " + "/lib/init.so")print("Founded " + metaLib.lib_name + " "+ metaLib.version)if metaLib then exploits = metaxploit.scan(metaLib)for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(metaLib, exploit).split("Unsafe check: ")[1:]for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = metaLib.overflow(exploit, target_key[3:-4])if typeof(result) == "shell" thenroot_file = result.host_computer.File("/root")if root_file.has_permission("w") thenresult.start_terminalelse if root_file.has_permission("r") thenresultMem = kernel_router_exploitresultKey = target_key[3:-4]elseif resultMem == "" then resultMem = exploitif resultKey == "" then resultKey = target_key[3:-4]end ifend ifend forend for
end if
result = metaLib.overflow(resultMem, resultKey)
if typeof(result) == "shell" thenresult.start_terminal
end if
exit("Fail...")
用法
在本地使用,可从游客权限提至至少是普通用户级
效果及示例
譬如,已经获取了一个游客权限的shell
上传本脚本及需要的库,执行
得到了普通用户身份
-战术设计上的一些误区)
解析(一))
![[BZOJ4008]亚瑟王](http://pic.xiahunao.cn/[BZOJ4008]亚瑟王)
)
