rsmudge/gist:6717127

## gistfile1.c
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#

sub exploitPorts {
  local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
		$options = options("exploit", $exploit);
		if ('RPORT' in $options) {
			$port = $options['RPORT']['default'];
			%exploits[$exploit] = $port;
		}
	}

	return %exploits;
}

sub score {
	local('%score');
	%score['excellent'] = 5;
	%score['great']     = 4;
	%score['good']      = 3;
	%score['normal']    = 2;
	%score['poor']      = 1;
	return %score[$1];
}

sub sortedExploits {
	on console_show {
		local('$line $module $date $rank %info @r');
		foreach $line (split("\n", $3)) {
			if ($line ismatch '\s+(.*?)\s+(\d{4}-\d{2}-\d{2})\s+(\w+)\s+.*') {
				($module, $date, $rank) = matched();
				if ($rank ne "manual") {
					push(@r, %(date => parseDate("MM-dd-yy", $date), rank => score($rank), name => $module));
				}
			}
		}
		fire_event_async("exploit_information", @r);
		quit();
	}

	cmd_async("show exploits");
}

sub isHostMatch {
	if ([$1 startsWith: "multi/"]) {
		return 1;
	}
	else {
		local('$os');
		$os = host_os($2);
		if ($os eq "Microsoft Windows" && [$1 startsWith: "windows/"]) {
			return 1;
		}
		else if ($os eq "Linux" && [$1 startsWith: "linux/"]) {
			return 1;
		}
		else if ($os eq "Linux" && [$1 startsWith: "unix/"]) {
			return 1;
		}
	}
	return $null;
}

sub runHailMary {
	global('$console $fork');
	$console = open_text_tab("Hail Mary", $null, "all");

	# let this happen in a separate thread...
	$fork = fork(&exploitPorts);

	on tab_close {
		quit();
	}

	on exploit_information {
		local('$exploits $port $host %options $total $minrank');

		# retrieve our exploit info... from our earlier thread.
		%ports = wait($fork);

		# sort our exploits...
		$minrank = score(pref_get("armitage.required_exploit_rank.string", "great"));
		$exploits = filter(lambda({
			return iff ($1['rank'] >= $minrank, $1);
		}, \$minrank), $1);

		$exploits = map({ return $1['name']; }, sort({
			if ($2['rank'] == $1['rank']) {
				return $2['date'] <=> $1['date'];
			}
			else {
				return $2['rank'] <=> $1['rank'];
			}
		}, $exploits));

		# go through our exploits... best ones first
		foreach $exploit ($exploits) {
			$port = %ports[$exploit];
			foreach $host (hosts()) {
				if (isHostMatch($exploit, $host) && $host hasservice $port) {
					exploit($exploit, $host);
					append($console, "\cC[*]\o $[20]host => $exploit $+ \n");
					$total++;
				}
			}
		}

		append($console, "\cC[*]\o Launched $total exploits...\n");
	}

	# let's rock...
	append($console, "\cC[*]\o Analyzing modules...\n");

	spawn(&sortedExploits);
}

sub runFindAttacks {
	global('$fork');

	# let this happen in a separate thread...
	$fork = fork(&exploitPorts);

	on exploit_information {
		local('$exploits $port $host %options $total %menus $minrank');

		# retrieve our exploit info... from our earlier thread.
		%ports = wait($fork);

		# filter exploits that fall below our threshold
		$minrank = score(pref_get("armitage.required_exploit_rank.string", "great"));
		$exploits = map({ return $1['name']; }, filter(lambda({
			return iff ($1['rank'] >= $minrank, $1);
		}, \$minrank), $1));

		# go through our exploits... best ones first
		foreach $exploit ($exploits) {
			$port = %ports[$exploit];
			foreach $host (hosts()) {
				if (isHostMatch($exploit, $host) && $host hasservice $port) {
					($null, $srvc, $module) = split('\\/', $exploit);

					if ($host !in %menus) {
						%menus[$host] = %();
					}
					if ($srvc !in %menus[$host]) {
						%menus[$host][$srvc] = @();
					}
					push(%menus[$host][$srvc], $exploit);
				}
			}
		}

		fire_event_async("attack_analysis_complete", %menus);
		quit();
	}

	spawn(&sortedExploits);
}
	#
	# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
	#

	sub exploitPorts {
	local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
	$options = options("exploit", $exploit);
	if ('RPORT' in $options) {
	$port = $options['RPORT']['default'];
	%exploits[$exploit] = $port;
	}
	}

	return %exploits;
	}

	sub score {
	local('%score');
	%score['excellent'] = 5;
	%score['great'] = 4;
	%score['good'] = 3;
	%score['normal'] = 2;
	%score['poor'] = 1;
	return %score[$1];
	}

	sub sortedExploits {
	on console_show {
	local('$line $module $date $rank %info @r');
	foreach $line (split("\n", $3)) {
	if ($line ismatch '\s+(.?)\s+(\d{4}-\d{2}-\d{2})\s+(\w+)\s+.') {
	($module, $date, $rank) = matched();
	if ($rank ne "manual") {
	push(@r, %(date => parseDate("MM-dd-yy", $date), rank => score($rank), name => $module));
	}
	}
	}
	fire_event_async("exploit_information", @r);
	quit();
	}

	cmd_async("show exploits");
	}

	sub isHostMatch {
	if ([$1 startsWith: "multi/"]) {
	return 1;
	}
	else {
	local('$os');
	$os = host_os($2);
	if ($os eq "Microsoft Windows" && [$1 startsWith: "windows/"]) {
	return 1;
	}
	else if ($os eq "Linux" && [$1 startsWith: "linux/"]) {
	return 1;
	}
	else if ($os eq "Linux" && [$1 startsWith: "unix/"]) {
	return 1;
	}
	}
	return $null;
	}

	sub runHailMary {
	global('$console $fork');
	$console = open_text_tab("Hail Mary", $null, "all");

	# let this happen in a separate thread...
	$fork = fork(&exploitPorts);

	on tab_close {
	quit();
	}

	on exploit_information {
	local('$exploits $port $host %options $total $minrank');

	# retrieve our exploit info... from our earlier thread.
	%ports = wait($fork);

	# sort our exploits...
	$minrank = score(pref_get("armitage.required_exploit_rank.string", "great"));
	$exploits = filter(lambda({
	return iff ($1['rank'] >= $minrank, $1);
	}, \$minrank), $1);

	$exploits = map({ return $1['name']; }, sort({
	if ($2['rank'] == $1['rank']) {
	return $2['date'] <=> $1['date'];
	}
	else {
	return $2['rank'] <=> $1['rank'];
	}
	}, $exploits));

	# go through our exploits... best ones first
	foreach $exploit ($exploits) {
	$port = %ports[$exploit];
	foreach $host (hosts()) {
	if (isHostMatch($exploit, $host) && $host hasservice $port) {
	exploit($exploit, $host);
	append($console, "\cC[*]\o $[20]host => $exploit $+ \n");
	$total++;
	}
	}
	}

	append($console, "\cC[*]\o Launched $total exploits...\n");
	}

	# let's rock...
	append($console, "\cC[*]\o Analyzing modules...\n");

	spawn(&sortedExploits);
	}

	sub runFindAttacks {
	global('$fork');

	# let this happen in a separate thread...
	$fork = fork(&exploitPorts);

	on exploit_information {
	local('$exploits $port $host %options $total %menus $minrank');

	# retrieve our exploit info... from our earlier thread.
	%ports = wait($fork);

	# filter exploits that fall below our threshold
	$minrank = score(pref_get("armitage.required_exploit_rank.string", "great"));
	$exploits = map({ return $1['name']; }, filter(lambda({
	return iff ($1['rank'] >= $minrank, $1);
	}, \$minrank), $1));

	# go through our exploits... best ones first
	foreach $exploit ($exploits) {
	$port = %ports[$exploit];
	foreach $host (hosts()) {
	if (isHostMatch($exploit, $host) && $host hasservice $port) {
	($null, $srvc, $module) = split('\\/', $exploit);

	if ($host !in %menus) {
	%menus[$host] = %();
	}
	if ($srvc !in %menus[$host]) {
	%menus[$host][$srvc] = @();
	}
	push(%menus[$host][$srvc], $exploit);
	}
	}
	}

	fire_event_async("attack_analysis_complete", %menus);
	quit();
	}

	spawn(&sortedExploits);
	}