Last active
November 22, 2025 11:55
-
-
Save FennyFatal/b0b2f202222d939516987377dd3deed6 to your computer and use it in GitHub Desktop.
Grey hack router exploit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| metaxploit = include_lib("/lib/metaxploit.so") | |
| if not metaxploit then metaxploit = include_lib(current_path + "/metaxploit.so") | |
| c_red = "<color=#ff0000>" | |
| c_green = "<color=#00ff00>" | |
| c_blue = "<color=#0000ff>" | |
| c_grey = "<color=#999999>" | |
| c_reset = "</color>" | |
| vbt = get_shell.host_computer.File(current_path + "/vbt") | |
| if not vbt or vbt == null then | |
| print("Trying for vbt at /bin/vbt") | |
| vbt = get_shell.host_computer.File(current_path + "/bin/vbt") | |
| end if | |
| if vbt then | |
| print "Found vbt at " + vbt.path | |
| end if | |
| getPorts = function (remote) | |
| for port in remote.get_ports | |
| print port | |
| end for | |
| end function | |
| GetPassword = function(userPass) | |
| cryptools = include_lib("/lib/crypto.so") | |
| if not cryptools then | |
| cryptools = include_lib(current_path + "/crypto.so") | |
| end if | |
| if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder") | |
| if userPass.len != 2 then exit("decipher: wrong syntax") | |
| password = cryptools.decipher(userPass[1]) | |
| return password | |
| end function | |
| listFiles = function (remote, folderPath) | |
| libfolder = remote.File(folderPath) | |
| for lib in libfolder.get_files | |
| print lib.path | |
| if not lib.is_binary then print lib.get_content | |
| end for | |
| end function | |
| decypherEtcPasswd = function (remote) | |
| configFile = "/etc/passwd" | |
| bankFile = remote.File(configFile) | |
| if not bankFile then return | |
| if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend") | |
| userPasses = bankFile.get_content.split("\n") | |
| for user in userPasses | |
| userPass = user.split(":") | |
| if user.len < 2 then continue | |
| print("Deciphering " + configFile) | |
| print(configFile + " account: " + userPass[0]) | |
| pass = null | |
| if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1]) | |
| if pass then | |
| found = true | |
| else | |
| password = GetPassword(userPass) | |
| if not password then | |
| print("Nothing found...") | |
| else | |
| print("Password: " + password) | |
| found = true | |
| end if | |
| end if | |
| end for | |
| return found | |
| end function | |
| decypherThing = function (remote, userFolder, configFile) | |
| found = false | |
| bankFile = remote.File("/home/" + userFolder.name + "/Config/" + configFile +".txt") | |
| if not bankFile then return | |
| if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend") | |
| userPass = bankFile.get_content.split(":") | |
| print("Deciphering " + configFile + " password for user: " + userFolder.name) | |
| print(configFile + " account: " + userPass[0]) | |
| pass = null | |
| if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1]) | |
| if pass then | |
| found = true | |
| else | |
| password = GetPassword(userPass) | |
| if not password then | |
| print("Nothing found...") | |
| else | |
| print("Password: " + password) | |
| found = true | |
| end if | |
| end if | |
| return found | |
| end function | |
| routerExploit = function (ip, address, funcstring, lanIp) | |
| net_session = metaxploit.net_use( ip ) | |
| if not net_session then exit("Error: can't connect to net session") | |
| libKernel = net_session.dump_lib | |
| libName = "kernel_router.so" | |
| print("Searching " + libName +" ...") | |
| if libKernel.lib_name != libName then exit("Error: " + libName + " not found.") | |
| if lanIp == "" then lanIp = user_input("Enter a LAN address: ") | |
| result = libKernel.overflow(address, funcstring, lanIp) | |
| typeObject = typeof(result) | |
| if(typeObject != "computer") then exit("Error: expected computer, obtained " + typeObject) | |
| homeFolder = result.File("/home") | |
| if not homeFolder then exit("Error: /home folder not found") | |
| userFolders = homeFolder.get_folders | |
| found = false | |
| for userFolder in userFolders | |
| found = decypherThing(result, userFolder, "Bank") | |
| found = decypherThing(result, userFolder, "Mail") | |
| listFiles(result, userFolder.path) | |
| end for | |
| listFiles(result, "/lib") | |
| getPorts(result) | |
| found = decypherEtcPasswd(result) | |
| if not found then print("No files found") | |
| end function | |
| scanMode = function(ip, port, metaLib) | |
| addresses = metaxploit.scan(metaLib) | |
| vulns = [] | |
| index = 0 | |
| for address in addresses | |
| print address | |
| index = index + 1 | |
| print(c_green + index + ".") | |
| print(ip + " " + port + " " + address + c_reset) | |
| result = metaxploit.scan_address(metaLib, address) | |
| print(result) | |
| string_arr = result.split("Unsafe") | |
| vars = [] | |
| vars.push(address) | |
| for string in string_arr | |
| vars.push(string[string.indexOf("<b>")+3:string.indexOf("</b>")]) | |
| end for | |
| vars.remove(1) | |
| vulns.push(vars) | |
| end for | |
| commands = [] | |
| index = 0 | |
| for vuln in vulns | |
| address = vuln.pull() | |
| for var in vuln | |
| index = index + 1 | |
| command = [] | |
| command.push(index) | |
| command.push(ip) | |
| command.push(port) | |
| command.push(address) | |
| command.push(var) | |
| command.push("") | |
| commands.push(command) | |
| end for | |
| end for | |
| for command in commands | |
| if not command[5] == "" then | |
| print(c_grey + "<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5] + " " + c_reset) | |
| else | |
| print("<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5]) | |
| end if | |
| end for | |
| end function | |
| inclusiveIndexes = function (max) | |
| retval = [] | |
| i = 0 | |
| while(i < max) | |
| retval.push(i) | |
| i = i + 1 | |
| end while | |
| return retval | |
| end function | |
| propNames = ["ip", "address", "var", "lanIp"] | |
| props = {} | |
| props.port=0 | |
| props.address = "" | |
| props.lanIp = "" | |
| for i in inclusiveIndexes(params.len) | |
| if propNames.len > i then | |
| props[propNames[i]] = params[i] | |
| end if | |
| end for | |
| props.metalib = metaxploit.net_use( props.ip ).dump_lib | |
| if (props.address == "") then | |
| scanMode(props.ip, props.port, props.metalib) | |
| else | |
| routerExploit(props.ip, props.address, props.var, props.lanIp) | |
| end if |
Author
FennyFatal
commented
Oct 9, 2024
via email
When calling the script, params are:
["ip", "address", "var", "lanIp"]
…On Tue, Oct 8, 2024, 5:22 AM MaxMeName ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
image.png (view on web)
<https://gist.github.com/user-attachments/assets/0e69612a-60e2-49f8-8f62-2ff8ac93bd8f>
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/FennyFatal/b0b2f202222d939516987377dd3deed6#gistcomment-5224908>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAL7L2EUG4DQYRI3PJRECPDZ2O577BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTGMBQGU3DQOJTU52HE2LHM5SXFJTDOJSWC5DF>
.
You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment