FennyFatal/routerPwn.src

## routerPwn.src
metaxploit = include_lib("/lib/metaxploit.so")
if not metaxploit then metaxploit = include_lib(current_path + "/metaxploit.so")

c_red = "<color=#ff0000>"
c_green = "<color=#00ff00>"
c_blue = "<color=#0000ff>"
c_grey = "<color=#999999>"
c_reset = "</color>"

vbt = get_shell.host_computer.File(current_path + "/vbt")
if not vbt or vbt == null then
	print("Trying for vbt at /bin/vbt")
	vbt = get_shell.host_computer.File(current_path + "/bin/vbt")
end if
if vbt then
	print "Found vbt at " + vbt.path
end if

getPorts = function (remote)
	for port in remote.get_ports
		print port
	end for
end function

GetPassword = function(userPass)
	cryptools = include_lib("/lib/crypto.so")
	if not cryptools then
		cryptools = include_lib(current_path + "/crypto.so")
	end if
	if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")

	if userPass.len != 2 then exit("decipher: wrong syntax")
	password = cryptools.decipher(userPass[1])
	return password
end function

listFiles = function (remote, folderPath)
	libfolder = remote.File(folderPath)
	for lib in libfolder.get_files
		print lib.path
		if not lib.is_binary then print lib.get_content
	end for
end function

decypherEtcPasswd = function (remote)
    configFile = "/etc/passwd"
	bankFile = remote.File(configFile)
	if not bankFile then return
	if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
	userPasses = bankFile.get_content.split("\n")
	for user in userPasses
		userPass = user.split(":")
		if user.len < 2 then continue

		print("Deciphering " + configFile)
		print(configFile + " account: " + userPass[0])
		pass = null
		if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
		if pass then
			found = true
		else
			password = GetPassword(userPass)
			if not password then
				print("Nothing found...")
			else
				print("Password: " + password)
				found = true
			end if
		end if
	end for
	return found
end function

decypherThing = function (remote, userFolder, configFile)
    found = false
	bankFile = remote.File("/home/" + userFolder.name + "/Config/" + configFile +".txt")
	if not bankFile then return
	if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
	userPass = bankFile.get_content.split(":")
	print("Deciphering " + configFile + " password for user: " + userFolder.name)
	print(configFile + " account: " + userPass[0])
	pass = null
	if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
	if pass then
		found = true
	else
		password = GetPassword(userPass)
		if not password then
			print("Nothing found...")
		else
			print("Password: " + password)
			found = true
		end if
	end if
	return found
end function

routerExploit = function (ip, address, funcstring, lanIp)
	net_session = metaxploit.net_use( ip )
	if not net_session then exit("Error: can't connect to net session")
	libKernel = net_session.dump_lib
	libName = "kernel_router.so"
	print("Searching " + libName +" ...")
	if libKernel.lib_name != libName then exit("Error: " + libName + " not found.")
	if lanIp == "" then lanIp = user_input("Enter a LAN address: ")
	result = libKernel.overflow(address, funcstring, lanIp)

	typeObject = typeof(result)
	if(typeObject != "computer") then exit("Error: expected computer, obtained " + typeObject)
	homeFolder = result.File("/home")
	if not homeFolder then exit("Error: /home folder not found")
	userFolders = homeFolder.get_folders
	found = false
	for userFolder in userFolders
		found = decypherThing(result, userFolder, "Bank")
		found = decypherThing(result, userFolder, "Mail")
		listFiles(result, userFolder.path)
	end for
	listFiles(result, "/lib")
	getPorts(result)
	found = decypherEtcPasswd(result)
	if not found then print("No files found")
end function

scanMode = function(ip, port, metaLib)
	addresses = metaxploit.scan(metaLib)
	vulns = []
	index = 0
	for address in addresses
		print address
		index = index + 1
		print(c_green + index + ".")
		print(ip + " " + port + " " + address + c_reset)
		result = metaxploit.scan_address(metaLib, address)
		print(result)
		string_arr = result.split("Unsafe")
		vars = []
		vars.push(address)
		for string in string_arr
			vars.push(string[string.indexOf("<b>")+3:string.indexOf("</b>")])
		end for
		vars.remove(1)
		vulns.push(vars)
    end for

	commands = []
	index = 0
	for vuln in vulns
		address = vuln.pull()
		for var in vuln
			index = index + 1
			command = []
			command.push(index)
			command.push(ip)
			command.push(port)
			command.push(address)
			command.push(var)
			command.push("")
			commands.push(command)
		end for
	end for

	for command in commands
		if not command[5] == "" then
			print(c_grey + "<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5] + " " + c_reset)
		else
			print("<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5])
		end if
	end for
end function

inclusiveIndexes = function (max)
	retval = []
	i = 0
	while(i < max)
		retval.push(i)
		i = i + 1
	end while
	return retval
end function

propNames = ["ip", "address", "var", "lanIp"]
props = {}
props.port=0
props.address = ""
props.lanIp = ""

for i in inclusiveIndexes(params.len)
	if propNames.len > i then
		props[propNames[i]] = params[i]
	end if
end for

props.metalib = metaxploit.net_use( props.ip ).dump_lib
if (props.address == "") then
	scanMode(props.ip, props.port, props.metalib)
else
	routerExploit(props.ip, props.address, props.var, props.lanIp)
end if
	metaxploit = include_lib("/lib/metaxploit.so")
	if not metaxploit then metaxploit = include_lib(current_path + "/metaxploit.so")

	c_red = "<color=#ff0000>"
	c_green = "<color=#00ff00>"
	c_blue = "<color=#0000ff>"
	c_grey = "<color=#999999>"
	c_reset = "</color>"

	vbt = get_shell.host_computer.File(current_path + "/vbt")
	if not vbt or vbt == null then
	print("Trying for vbt at /bin/vbt")
	vbt = get_shell.host_computer.File(current_path + "/bin/vbt")
	end if
	if vbt then
	print "Found vbt at " + vbt.path
	end if

	getPorts = function (remote)
	for port in remote.get_ports
	print port
	end for
	end function

	GetPassword = function(userPass)
	cryptools = include_lib("/lib/crypto.so")
	if not cryptools then
	cryptools = include_lib(current_path + "/crypto.so")
	end if
	if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")

	if userPass.len != 2 then exit("decipher: wrong syntax")
	password = cryptools.decipher(userPass[1])
	return password
	end function

	listFiles = function (remote, folderPath)
	libfolder = remote.File(folderPath)
	for lib in libfolder.get_files
	print lib.path
	if not lib.is_binary then print lib.get_content
	end for
	end function

	decypherEtcPasswd = function (remote)
	configFile = "/etc/passwd"
	bankFile = remote.File(configFile)
	if not bankFile then return
	if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
	userPasses = bankFile.get_content.split("\n")
	for user in userPasses
	userPass = user.split(":")
	if user.len < 2 then continue

	print("Deciphering " + configFile)
	print(configFile + " account: " + userPass[0])
	pass = null
	if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
	if pass then
	found = true
	else
	password = GetPassword(userPass)
	if not password then
	print("Nothing found...")
	else
	print("Password: " + password)
	found = true
	end if
	end if
	end for
	return found
	end function

	decypherThing = function (remote, userFolder, configFile)
	found = false
	bankFile = remote.File("/home/" + userFolder.name + "/Config/" + configFile +".txt")
	if not bankFile then return
	if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
	userPass = bankFile.get_content.split(":")
	print("Deciphering " + configFile + " password for user: " + userFolder.name)
	print(configFile + " account: " + userPass[0])
	pass = null
	if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
	if pass then
	found = true
	else
	password = GetPassword(userPass)
	if not password then
	print("Nothing found...")
	else
	print("Password: " + password)
	found = true
	end if
	end if
	return found
	end function

	routerExploit = function (ip, address, funcstring, lanIp)
	net_session = metaxploit.net_use( ip )
	if not net_session then exit("Error: can't connect to net session")
	libKernel = net_session.dump_lib
	libName = "kernel_router.so"
	print("Searching " + libName +" ...")
	if libKernel.lib_name != libName then exit("Error: " + libName + " not found.")
	if lanIp == "" then lanIp = user_input("Enter a LAN address: ")
	result = libKernel.overflow(address, funcstring, lanIp)

	typeObject = typeof(result)
	if(typeObject != "computer") then exit("Error: expected computer, obtained " + typeObject)
	homeFolder = result.File("/home")
	if not homeFolder then exit("Error: /home folder not found")
	userFolders = homeFolder.get_folders
	found = false
	for userFolder in userFolders
	found = decypherThing(result, userFolder, "Bank")
	found = decypherThing(result, userFolder, "Mail")
	listFiles(result, userFolder.path)
	end for
	listFiles(result, "/lib")
	getPorts(result)
	found = decypherEtcPasswd(result)
	if not found then print("No files found")
	end function

	scanMode = function(ip, port, metaLib)
	addresses = metaxploit.scan(metaLib)
	vulns = []
	index = 0
	for address in addresses
	print address
	index = index + 1
	print(c_green + index + ".")
	print(ip + " " + port + " " + address + c_reset)
	result = metaxploit.scan_address(metaLib, address)
	print(result)
	string_arr = result.split("Unsafe")
	vars = []
	vars.push(address)
	for string in string_arr
	vars.push(string[string.indexOf("<b>")+3:string.indexOf("</b>")])
	end for
	vars.remove(1)
	vulns.push(vars)
	end for

	commands = []
	index = 0
	for vuln in vulns
	address = vuln.pull()
	for var in vuln
	index = index + 1
	command = []
	command.push(index)
	command.push(ip)
	command.push(port)
	command.push(address)
	command.push(var)
	command.push("")
	commands.push(command)
	end for
	end for

	for command in commands
	if not command[5] == "" then
	print(c_grey + "<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5] + " " + c_reset)
	else
	print("<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5])
	end if
	end for
	end function

	inclusiveIndexes = function (max)
	retval = []
	i = 0
	while(i < max)
	retval.push(i)
	i = i + 1
	end while
	return retval
	end function

	propNames = ["ip", "address", "var", "lanIp"]
	props = {}
	props.port=0
	props.address = ""
	props.lanIp = ""

	for i in inclusiveIndexes(params.len)
	if propNames.len > i then
	props[propNames[i]] = params[i]
	end if
	end for

	props.metalib = metaxploit.net_use( props.ip ).dump_lib
	if (props.address == "") then
	scanMode(props.ip, props.port, props.metalib)
	else
	routerExploit(props.ip, props.address, props.var, props.lanIp)
	end if