目录
- 脚本源码
- 用法
- 效果及示例
版本:Grey Hack v0.7.3618 - Alpha
脚本源码
if params.len != 2 or params[0] == "-h" or params[0] == "--help" then exit("<b>Usage: "+program_path.split("/")[-1]+" [ip_address] [LAN_address]</b>")
metaxploit = include_lib("/lib/metaxploit.so")
if not metaxploit thenmetaxploit = include_lib(current_path + "/metaxploit.so")
end if
if not metaxploit then exit("Error: Can't find metaxploit library in the /lib path or the current folder")cryptools = include_lib("/lib/crypto.so")
if not cryptools thencryptools = include_lib(current_path + "/crypto.so")
end if
if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")Flag_Bank_Mail = 0
Flag_User_Key = 0
Flag_User_Ask_Key = 0
Bank_Key = 0
Mail_Key = 0
User_Key = 0GetPassword = function(userPass)if userPass.len != 2 then returnpassword = cryptools.decipher(userPass[1])return password
end functionAccessPasswdFile = function(result)print("Accesing to password file...")files = result.get_filesfor file in filesif file.name == "passwd" thenif not file.has_permission("r") then Flag_User_Key = 0return end if listUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forglobals.Flag_User_Key = 1if globals.Flag_Bank_Mail == 1 and globals.Flag_User_Key == 1 then exit("Done...")end ifend forprint("Error: /etc/passwd file not found. Program aborted");
end functionbankFound = false
mailFound = falseAccessHomeFile = function(homeFolder)print("Accesing to Mail.txt files...\nSearching users...")folders = homeFolder.get_foldersfor user in foldersprint("User: " + user.name +" found...")subFolders = user.get_foldersfor subFolder in subFoldersif subFolder.name == "Config" thenfiles = subFolder.get_filesfor file in filesif file.name == "Bank.txt" thenglobals.Flag_Bank_Mail = 1if not file.has_permission("r") then print("failed. Can't access to file contents. Permission denied")if typeof(globals.Bank_Key) != "string" then globals.Bank_Key = user_input("Read Bank Password? [Y/N]\n")if globals.Bank_Key == "Y" or globals.Bank_Key == "y" or globals.Bank_Key == "Yes" or globals.Bank_Key == "yes" thenlistUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forend ifglobals.bankFound = trueelse if file.name == "Mail.txt" thenglobals.Flag_Bank_Mail = 1if not file.has_permission("r") then print("failed. Can't access to file contents. Permission denied")if typeof(globals.Mail_Key) != "string" then globals.Mail_Key = user_input("Read Mail Password? [Y/N]\n")if globals.Mail_Key == "Y" or globals.Mail_Key == "y" or globals.Mail_Key == "Yes" or globals.Mail_Key == "yes" thenlistUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forend ifglobals.mailFound = trueend ifend forend ifend forend forif not globals.mailFound then print("Mail file not found.")if not globals.bankFound then print("Bank file not found.")if folders.len == 0 then print("No users found. Program aborted")
end functionaddress = params[0]
net_session = metaxploit.net_use( address )
if not net_session then exit("Error: can't connect to net session")
libKernel = net_session.dump_libprint("Founded " + libKernel.lib_name + " "+ libKernel.version)if not libKernel then exit("Error: TargetLib not found.")lanIp = params[1]exploits = metaxploit.scan(libKernel)
for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(libKernel, exploit).split("Unsafe check: ")[1:]for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = libKernel.overflow(exploit, target_key[3:-4], lanIp)if(typeof(result) == "computer") thenif Flag_Bank_Mail == 0 thenhomeFolder = result.File("/home")if not homeFolder then print("Error: /home folder not found")elseuserFolders = homeFolder.get_foldersfounded_bank = falsefounded_mail = falseBank_Key = user_input("Read Banks Password? [Y/N]\n")if Bank_Key == "Y" or Bank_Key == "y" or Bank_Key == "Yes" or Bank_Key == "yes" thenfor userFolder in userFoldersbankFile = result.File("/home/" + userFolder.name + "/Config/Bank.txt")if not bankFile then continueif not bankFile.has_permission("r") then print("Error: can't read file contents. Permission deniend")breakend ifuserPass = bankFile.get_content.split(":")print("Deciphering bank password for user: " + userFolder.name)password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("Bank account: <b>" + userPass[0] +"</b>\nBank Password: <b>" + password + "</b>")founded_bank = trueend ifend forelsefounded_bank = trueend ifMail_Key = user_input("Read Mails Password? [Y/N]\n")if Mail_Key == "Y" or Mail_Key == "y" or Mail_Key == "Yes" or Mail_Key == "yes" thenfor userFolder in userFoldersmailFile = result.File("/home/" + userFolder.name + "/Config/Mail.txt")if not mailFile then continueif not mailFile.has_permission("r") then print("Error: can't read file contents. Permission deniend")breakend ifuserPass = mailFile.get_content.split(":")print("Deciphering mail password for user: " + userFolder.name)password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("Mail account: <b>" + userPass[0] +"</b>\nMail Password: <b>" + password + "</b>")founded_mail = trueend ifend forelsefounded_mail = trueend ifif founded_bank and founded_mail then Flag_Bank_Mail = 1end ifend ifif Flag_User_Key == 0 then if Flag_User_Ask_Key == 0 thenUser_Key = user_input("Read User Password? [Y/N]\n")Flag_User_Ask_Key = 1 end if if User_Key == "Y" or User_Key == "y" or User_Key == "Yes" or User_Key == "yes" thenfile = result.File("/etc/passwd")if not file then exit("Error: file /etc/passwd not found")if not file.has_permission("r") then continue if file.is_binary then exit("Error: invalid /etc/passwd file found.")Flag_User_Key = 1listUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forelseFlag_User_Key = 1end ifend ifif Flag_Bank_Mail == 1 and Flag_User_Key == 1 then exit("Done...")end ifend ifend for
end for for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(libKernel, exploit).split("Unsafe check: ")[1:]if Flag_User_Key == 0 then for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = libKernel.overflow(exploit, target_key[3:-4], lanIp)if (typeof(result) == "file") thenprint("Obtained access to " + result.path)if Flag_Bank_Mail != 1 then if typeof(Bank_Key) != "string" and typeof(Mail_Key) != "string" then if result.path == "/home" thenAccessHomeFile(result)elseprint("Searching home folder...")while not result.path == "/"result = result.parentend whilefolders = result.get_foldersfor folder in foldersif folder.path == "/home" thenAccessHomeFile(folder)end ifend forend ifend ifend if if typeof(User_Key) != "string" then User_Key = user_input("Read User Password? [Y/N]\n")if User_Key == "Y" or User_Key == "y" or User_Key == "Yes" or User_Key == "yes" thenif Flag_User_Key != 1 then if result.path == "/etc" thenAccessPasswdFile(result)else print("Attempting to reach /etc folder...")while result.path != "/"result = result.parentend whilefolders = result.get_foldersfor folder in foldersif folder.path == "/etc" thenAccessPasswdFile(folder)end ifend forend if end if end ifend ifend for end if
end forexit("Fail...")
用法
【脚本名】 【公网IP】 【局域网IP】
效果及示例
先检测目标端口库版本
再尝试遍历攻破漏洞以获取password
视情况不同,可能得到游客、用户或root权限
一般情况下,游客身份可获取用户的Bank Password及Mail Password及登录名
用户及root身份可获得root的Password及各用户的Password及登录名
如图,本案例中目标IP尚未开放常见端口
