Shell Finder

Uses found exploits to request a shell on a router.
avatar
unknown
typescript
2 years ago
6.0 kB
13
Indexable
//Initialization.  This is dedicated to finding a shell on a router using v1.0.0 kernel.

//The next few lines dictate the target.  This needs to target a router that has v1.0.0 
//of kernel_router.so.  The params[0] is the first thing typed after executing the program.
//example "hackrouter 192.168.0.1".  In that example, the IP address is 'params[0]'
if params.len != 1 or params[0] == "-h" or params[0] == "--help" then exit("<b>Usage: "+program_path.split("/")[-1]+" [ip_address]</b>")

//This is a library loader.  This is always needed when using exploits.
metaxploit = include_lib("/lib/metaxploit.so")
if not metaxploit then
metaxploit = include_lib(current_path + "/metaxploit.so")
end if
if not metaxploit then exit("Error: Can't find metaxploit library in the /lib path or the current folder")

//The net_use command is very important.  This is the main command that lets you dump the router's
//library file so that it can be exploited.  It opens a net connection to the target, as defined by 
//address, which is params[0].
address = params[0]
net_session = metaxploit.net_use( address )
if not net_session then exit("Error: can't connect to net session")

//The dump_lib command is important for dumping the router's library.  Since we are attacking
//a router, there's no need for a port, since port 0 defaults to router_kernel.so.  Any other type
//of exploit with an other service will require a port. Mostly
libKernel = net_session.dump_lib
libName = "kernel_router.so"
print("Searching " + libName +" ...")
if not libKernel then exit("Error: " + libName + " not found.")

//lanIp = user_input("Enter a LAN address: ") 
//This line is for optional exploits that do not use a shell.  
//Disabled for now

//Scan results are here.  These results can be edited to use your current exploits in your own game.
//Use scanlib and simple scripts to find the typeof object returned from each exploit.  This is a 
//good first step to learning the language of the scripts.  The ojects you're looking to replace in
//this script with your own values is the memory address and key.  So for "result1", you would replace
//"0x18F4B352" with a memory address in YOUR game and "moffsetitlebackgroupbloc" with the key value from
//YOUR game.  Comment out any extra results, or make more entries if your libraries have more.
result1 = libKernel.overflow("0x18F4B352", "moffsetitlebackgroupbloc", params[0])
if typeof(result1) == "shell" then
	shell1 = 1
	else
	shell1 = 0
end if

result2 = libKernel.overflow("0x18F4B352", "updatebytebuttoncolor", params[0])
if typeof(result2) == "shell" then
	shell2 = 1
	else
	shell2 = 0
end if

result3 = libKernel.overflow("0x18F4B352", "telistintlinenums", params[0])
if typeof(result3) == "shell" then
	shell3 = 1
	else 
	shell3 = 0
end if

result4 = libKernel.overflow("0x330F9D6", "lengthsbuild_t", params[0])
if typeof(result4) == "shell" then
	shell4 = 1
	else
	shell4 = 0
end if

result5 = libKernel.overflow("0x330F9D6", "sicontsr", params[0])
if typeof(result5) == "shell" then
	shell5 = 1
	else
	shell5 = 0
end if

//This is an easy way to get the typeof objects in the exploits in your own
//scripts.  I've included them here for reference.  Since we're only looking
//for shell access, other types of exploits are ignored in this script.
print("RESULT 1 ACCESS: " + typeof(result1))
print("RESULT 2 ACCESS: " + typeof(result2))
print("RESULT 3 ACCESS: " + typeof(result3))
print("RESULT 4 ACCESS: " + typeof(result4))
print("RESULT 5 ACCESS: " + typeof(result5))

//The following sections are simple conditional loops that allow the user to choose
//whether or not they use a particular exploit's shell access.  The basic rules for
//these are: If the exploit typeof is "shell", a switch is turned to 1.  If the switch 
//greater than 0, it prompts the user to connect to the router via that particular 
//exploit's shell.  If the user chooses "n" (for "No"), the loop is broken and it 
//continues to the next one.  If the user chooses "y" (for "Yes), the shell is launched.

//Result 1 Management
while shell1 > 0
print("RESULT 1 has shell access.")
connectshell1 = user_input("Connect to RESULT 1 shell? (y/n)")
	if connectshell1 == "n" then
		break
	end  if
	
	if connectshell1 == "y" then
		print("Accessing Shell..")
		result1.start_terminal
	else
		break
	end if
end while

//Result 2 Management
while shell2 > 0
print("RESULT 2 has shell access.")
connectshell2 = user_input("Connect to RESULT 2 shell? (y/n)")
	if connectshell2 == "n" then
		break
	end  if
	
	if connectshell2 == "y" then
		print("Accessing Shell..")
		result2.start_terminal
	else
		break
	end if
end while

//Result 3 Management
while shell3 > 0
print("RESULT 3 has shell access.")
connectshell3 = user_input("Connect to RESULT 3 shell? (y/n)")
	if connectshell3 == "n" then
		break
	end  if
	
	if connectshell3 == "y" then
		print("Accessing Shell..")
		result3.start_terminal
	else
		break
	end if
end while

//Result 4 Management
while shell4 > 0
print("RESULT 4 has shell access.")
connectshell4 = user_input("Connect to RESULT 4 shell? (y/n)")
	if connectshell4 == "n" then
		break
	end  if
	
	if connectshell4 == "y" then
		print("Accessing Shell..")
		result4.start_terminal
	else
		break
	end if
end while

//Result 5 Management
while shell5 > 0
print("RESULT 5 has shell access.")
connectshell5 = user_input("Connect to RESULT 5 shell? (y/n)")
	if connectshell5 == "n" then
		break
	end  if
	
	if connectshell5 == "y" then
		print("Accessing Shell..")
		result5.start_terminal
	else
		break
	end if
end while
print("EXITING...")
//Crypto library is loaded as a failsafe, although it may not be needed for
//all types of exploits.  Usually, shell access does not require it, but it's
//added just in case.
cryptools = include_lib("/lib/crypto.so")
if not cryptools then
	cryptools = include_lib(current_path + "/crypto.so")
end if
if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")
Editor is loading...
Leave a Comment