Linux ip-172-26-2-223 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64
Apache
: 172.26.2.223 | : 18.227.140.134
Cant Read [ /etc/named.conf ]
8.1.13
www
www.github.com/MadExploits
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
CPANEL RESET
CREATE WP USER
BLACK DEFEND!
README
+ Create Folder
+ Create File
/
usr /
share /
ec2-instance-connect /
[ HOME SHELL ]
Name
Size
Permission
Action
eic_curl_authorized_keys
6.33
KB
-rwxr-xr-x
eic_harvest_hostkeys
7.15
KB
-rwxr-xr-x
eic_parse_authorized_keys
15.33
KB
-rwxr-xr-x
eic_run_authorized_keys
823
B
-rwxr-xr-x
Delete
Unzip
Zip
${this.title}
Close
Code Editor : eic_parse_authorized_keys
#!/bin/sh # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You # may not use this file except in compliance with the License. A copy of # the License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "license" file accompanying this file. This file is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. # Reads authorized keys blob $3 and prints verified, unexpired keys # Openssl to use provided as $1 # Signer public key file path provided as $2 set -e # Set umask so only we can touch temp files umask 077 # Failure reporting & exit # Format: fail [is_debug] [message] fail () { if [ "${1}" = true ] ; then /bin/echo "${2}" else /usr/bin/logger -i -p authpriv.info "${2}" fi exit 1 } # Helper to determine if a string starts with a given prefix # Format: startswith [string] [prefix] startswith () { [ "${1#${2}}x" != "${1}x" ] } # Helper function to strip out a prefix from a string # Format: removeprefix [string] [prefix] removeprefix () { /usr/bin/printf '%s' "${1#${2}}" } # Helper to verify an arbitrary ocsp response body given the certificate and issuer # Format: verifyocsp [is_debug] [openssl command] [certificate] [issuer] [ocsp directory] verifyocsp() { # First check if this cert is already trusted cname=$("${2}" x509 -noout -subject -in "${3}" 2>/dev/null | /bin/sed -n -e 's/^.*CN[[:blank:]]*=[[:blank:]]*//p') fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}" 2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':') ocsp_out=$("${2}" ocsp -no_nonce -issuer "${4}" -cert "${3}" -VAfile "${4}" -respin "${5}/${fingerprint}" 2>/dev/null) ocsp_exit="${?}" if [ "${ocsp_exit}" -ne 0 ] || ! startswith "${ocsp_out}" "${3}: good" ; then fail "${1}" "EC2 Instance Connect could not verify certificate ${cname} has not been revoked. No keys have been trusted." fi } while getopts ":x:p:o:d:s:i:c:a:v:f:" o; do case "${o}" in x) is_debug="${OPTARG}" ;; p) keys_path="${OPTARG}" ;; o) OPENSSL="${OPTARG}" ;; d) tmpdir="${OPTARG}" ;; s) signer="${OPTARG}" ;; i) current_instance_id="${OPTARG}" ;; c) expected_cn="${OPTARG}" ;; a) ca_path="${OPTARG}" ;; v) ocsp_dir_path="${OPTARG}" ;; f) expected_key="${OPTARG}" ;; *) /bin/echo "Usage: $0 [-x debug] [-r key read command] [-o openssl command] [-d tmpdir] [-s signer certificate] [-i instance id] [-c cname] [-a ca path] [-v ocsp dir] [-f key fingerprint]" exit 1 ;; esac done # Verify we have sufficient inputs if [ $# -lt 1 ] ; then # No args whatsoever # Unit test log (ignored by sshd) /bin/echo "Usage: $0 [-x debug] [-r key read command] [-o openssl command] [-d tmpdir] [-s signer certificate] [-i instance id] [-c cname] [-a ca path] [-v ocsp dir] [-f key fingerprint]" # System log /usr/bin/logger -i -p authpriv.info "Unable to run EC2 Instance Connect: insufficient args provided. Please check your sshd configuration." exit 1 fi # Verify the signer certificate we have been provided - CN, trust chain, and revocation status # Split the chain into pieces /bin/echo "${signer}" | /usr/bin/awk -v dir="${tmpdir}" 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > dir "/cert" n ".pem"}' # We want visibility into the CA bundle so we can skip verifying entries in the chain that are already trusted if [ -d "${ca_path}" ] ; then ca_path_dir=$ca_path else ca_path_dir=$(dirname "${ca_path}") fi ca_bundles_dir=$(/bin/mktemp -d "${tmpdir}/eic-cert-XXXXXXXX") end=$(/usr/bin/find "${tmpdir}" -maxdepth 1 -type f -name "cert*.pem" -regextype sed -regex ".*/cert[0-9]\+\.pem" | wc -l) if [ "${end}" -gt 0 ] ; then # First see if we already have them for i in $(/usr/bin/seq 1 "${end}") ; do subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${i}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p') underscored=$(/bin/echo "${subject}" | /usr/bin/tr -s ' ' '_') 2>/dev/null if [ -f "${ca_path_dir}/${underscored}.pem" ] ; then # We already have it /bin/cp "${ca_path_dir}/${underscored}.pem" "${ca_bundles_dir}/${underscored}" else if [ ! -d "${ca_path}" ] ; then # Try to pull this CN from the CA bundle /bin/sed -n -e '/#[[:space:]]'"$subject"'$/,$p' "${ca_path}" 2>/dev/null | /bin/sed '/-----END[[:space:]]CERTIFICATE-----.*/,$d' | /bin/sed -n '1!p' > "${ca_bundles_dir}/${subject}" if [ -s "${ca_bundles_dir}/${subject}" ] ; then /bin/echo "-----END CERTIFICATE-----" >> "${ca_bundles_dir}/${subject}" else /bin/rm -f "${ca_bundles_dir}/${subject}" fi fi fi done fi # Build the intermediate trust chain /bin/touch "${tmpdir}/ca-trust.pem" for i in $(/usr/bin/seq 1 "${end}") ; do /bin/cat "${tmpdir}/cert${i}.pem" >> "${tmpdir}/ca-trust.pem" done if [ -d "${ca_path}" ] ; then subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${end}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p') underscored=$(/bin/echo "${subject}" | /usr/bin/tr -s ' ' '_') 2>/dev/null /bin/cat "${ca_bundles_dir}/${underscored}" >> "${tmpdir}/ca-trust.pem" 2>/dev/null else /bin/cat "${ca_path}" >> "${tmpdir}/ca-trust.pem" 2>/dev/null fi # At this point ca-trust is final /bin/chmod 400 "${tmpdir}/ca-trust.pem" # Verify the CN signer_cn=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p') if [ "${signer_cn}" != "${expected_cn}" ] ; then fail "${is_debug}" "EC2 Instance Connect encountered an unrecognized signer certificate. No keys have been trusted." fi # Verify the trust chain if [ -d "${ca_path}" ] ; then verify_out=$("${OPENSSL}" verify -x509_strict -CApath "${ca_path}" -CAfile "${tmpdir}/ca-trust.pem" "${tmpdir}/cert.pem") verify_status=$? else # If the CA path is not a directory then do not use it - openssl will throw errors on versions 1.1.1+ verify_out=$("${OPENSSL}" verify -x509_strict -CAfile "${tmpdir}/ca-trust.pem" "${tmpdir}/cert.pem") verify_status=$? fi if [ $verify_status -ne 0 ] || [ "${verify_out}" != "${tmpdir}/cert.pem: OK" ] ; then fail "${is_debug}" "EC2 Instance Connect could not verify the signer trust chain. No keys have been trusted." fi # Verify no certificates have been revoked # Iterate from first to second-to-last cert & validate OCSP staples /bin/mv "${tmpdir}/cert.pem" "${tmpdir}/cert0.pem" # Better naming consistency for loop for i in $(/usr/bin/seq 0 $((end - 1))) ; do subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${i}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p') if [ -f "${ca_bundles_dir}/${subject}" ] ; then # If we encounter a certificate that's in the CA bundle we can skip the rest as implicitly trusted hash=$("${OPENSSL}" x509 -hash -noout -in "${tmpdir}/cert${i}.pem" 2>/dev/null) trusted_hash=$("${OPENSSL}" x509 -hash -noout -in "${ca_bundles_dir}/${subject}" 2>/dev/null) fingerprint=$("${OPENSSL}" x509 -noout -fingerprint -sha1 -in "${tmpdir}/cert${i}.pem" 2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':') trusted_fingerprint=$("${OPENSSL}" x509 -noout -fingerprint -sha1 -in "${ca_bundles_dir}/${subject}" 2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':') pkey=$("${OPENSSL}" x509 -pubkey -noout -in "${tmpdir}/cert${i}.pem") trusted_pkey=$("${OPENSSL}" x509 -pubkey -noout -in "${ca_bundles_dir}/${subject}" ) if [ "${hash}" = "${trusted_hash}" ] && [ "${fingerprint}" = "${trusted_fingerprint}" ] && [ "${pkey}" = "${trusted_pkey}" ] ; then # Already trusted, no need to OCSP verify break fi fi verifyocsp "${is_debug}" "${OPENSSL}" "${tmpdir}/cert${i}.pem" "${tmpdir}/cert$((i + 1)).pem" "${ocsp_dir_path}" done # At this point we no longer need the CA information /bin/rm -rf "${ca_bundles_dir}" # Extract cert public key /bin/echo "${signer}" | "${OPENSSL}" x509 -pubkey -noout > "${tmpdir}/pubkey" 2>/dev/null extract="${?}" if [ "${extract}" -ne 0 ] ; then fail "${is_debug}" "EC2 Instance Connect failed to extract the public key from the signer certificate. No keys have been trusted." fi # Begin actual parsing of authorized keys data if [ -n "${expected_key+x}" ] ; then # An expected fingerprint was given if [ "${is_debug}" = false ] ; then /usr/bin/logger -i -p authpriv.info "Querying EC2 Instance Connect keys for matching fingerprint: ${expected_key}" fi fi # Set current time as expiration marker curtime=$(/bin/date +%s) # We want to prevent variables from leaving the parser's scope # We also want to capture overall exit code # We also need to redirect the input into our loop # The simplest solution to all of the above is to take advantage of how sh pipes spawn a subprocess output=$( exitcode=255 # Exit code if no valid keys are provided count=0 # Read loop - pull timestamp line at start of iteration while read -r line do pathprefix="${tmpdir}/${count}" # Clear our temp buffers to prevent any sort of injection /bin/rm -f "${pathprefix}-key" /bin/rm -f "${pathprefix}-signedData" /bin/rm -f "${pathprefix}-sig" /bin/rm -f "${pathprefix}-decoded" # Pre-initialize key validation fields timestamp=0 instance_id="" caller="" request="" # We do not pre-initialize the actual key or signature fields /bin/touch "${pathprefix}-signedData" # Loop to read keys & parse out values # This is not sub-shelled as we want to maintain variable scope with the outer loop # Loop condition is until we reach a line that lacks the "#Key" format while startswith "${line}" "#" do # Note that not all of these may be present depending on service deployments # Similarly, this list is not meant to be exhaustive - there may be new fields to be checked in a later version if startswith "${line}" "#Timestamp=" ; then timestamp=$(removeprefix "${line}" "#Timestamp=") elif startswith "${line}" "#Instance=" ; then instance_id=$(removeprefix "${line}" "#Instance=") elif startswith "${line}" "#Caller=" ; then caller=$(removeprefix "${line}" "#Caller=") elif startswith "${line}" "#Request=" ; then request=$(removeprefix "${line}" "#Request=") # Otherwise it's a #Key we don't recognize (i.e., this version of AuthorizedKeysCommand is outdated) fi # We verify on all fields in-order, whether we recognize them or not. Similarly, we don't force fields not present. # As such we always add this to the signature verification file /usr/bin/printf '%s\n' "${line}" >> "${pathprefix}-signedData" # Read the next line read -r line done # At this point, line should contain the key if startswith "${line}" "ssh" ; then key="${line}" /usr/bin/printf '%s\n' "${key}" >> "${pathprefix}-signedData" # At this point we do not need to modify signedData /bin/chmod 400 "${pathprefix}-signedData" # Read key signature - may be multi-line encodedsigfile="${pathprefix}-sig" /bin/touch "${encodedsigfile}" read -r sigline || sigline="" while [ "${sigline}" != "" ] do /usr/bin/printf '%s\n' "${sigline}" >> "${encodedsigfile}" read -r sigline || sigline="" done /bin/chmod 400 "${encodedsigfile}" /usr/bin/printf '%s\n' "${key}" > "${pathprefix}-key" # Begin validation if [ -n "${instance_id}" ] && [ "${timestamp}" -ne 0 ] ; then fingerprint=$(/usr/bin/ssh-keygen -lf "${pathprefix}-key" | cut -d ' ' -f 2) # Get only the actual fingerprint, ignore key size & source # If we were told to expect a specific key and this isn't it, skip it if [ -z "${expected_key}" ] || [ "$fingerprint" = "${expected_key}" ] ; then # Check instance ID matches & timestamp is still valid if [ "${current_instance_id}" = "${instance_id}" ] && [ "${timestamp}" -gt "${curtime}" ] ; then # Decode the signature (/usr/bin/base64 --decode "${encodedsigfile}" > "${pathprefix}-decoded" || rm -f "${pathprefix}-decoded") 2>/dev/null if [ -f "${pathprefix}-decoded" ] ; then # Verify signature $OPENSSL dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify "${tmpdir}/pubkey" -signature "${pathprefix}-decoded" "${pathprefix}-signedData" 1>/dev/null 2>/dev/null verify="${?}" if [ "${verify}" -eq 0 ] ; then # Signature verified. # Record this in syslog callermessage="Providing ssh key from EC2 Instance Connect with fingerprint: ${fingerprint}" if [ "${request}" != "" ] ; then callermessage="${callermessage}, request-id: ${request}" fi if [ "${caller}" != "" ] ; then callermessage="${callermessage}, for IAM principal: ${caller}" fi if [ "${is_debug}" = false ] ; then /usr/bin/logger -i -p authpriv.info "${callermessage}" fi # Return key to the ssh daemon /bin/echo "${key}" exitcode=0 fi fi fi fi fi else # We didn't find a key. Skip until we hit a blank line or EOF while [ "${line}" != "" ] do read -r line || line="" done fi # Clean up any tempfiles /bin/rm -f "${pathprefix}-key" /bin/rm -f "${pathprefix}-signedData" /bin/rm -f "${pathprefix}-sig" /bin/rm -f "${pathprefix}-decoded" count=$((count + 1)) done < "${keys_path}" # This is the loop subprocess's exit code, not the script's exit $exitcode ) # Re-capture the exit code exitcode=$? # Print keys & exit /bin/rm -rf "${tmpdir}/pubkey" /bin/echo "${output}" exit $exitcode
Close
