mguezuraga/medium_one_impersonation.py

## medium_one_impersonation.py
import base64
import datetime
import hashlib
import logging
import sys
import xmlrpc.client

from Crypto.Cipher import AES
from lxml import etree

BS = 16

# Key is the password of serveradmin (plaintext)
KEY = '74cf0e9a3c2b904e9c445771cdccb3e6ce3e4da7'
SERVER = 'https://opennebula.mydomain/RPC2'


class AESCipher:

    def __init__(self, key):
        self.key = hashlib.sha1(key.encode('utf-8')).hexdigest()[:32]

    def encrypt(self, raw):
        raw = self.pad(raw)
        iv = 16 * '\x00'
        _cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return base64.b64encode(_cipher.encrypt(raw)).decode("utf-8")

    def decrypt(self, enc):
        _enc = base64.b64decode(enc)
        iv = 16 * '\x00'
        _cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.unpad(_cipher.decrypt(_enc))

    @staticmethod
    def pad(s): return s + (BS - len(s) % BS) * chr(BS - len(s) % BS)

    @staticmethod
    def unpad(s): return s[:-ord(s[len(s) - 1:])]


def get_proxy():
    return xmlrpc.client.ServerProxy(SERVER)


def main():
    user = 'serveradmin'
    target_user = 'bob'

    # Generate a timestamp 1 hour in the future
    token_expiration = int((datetime.datetime.now() + datetime.timedelta(hours=1)).timestamp())

    token_txt = "{}:{}:{}".format(user, target_user, token_expiration)

    cipher = AESCipher(KEY)
    secret = cipher.encrypt(token_txt)

    one_auth = '{}:{}:{}'.format(user, target_user, secret)

    try:
        resource = get_proxy().one.vmpool.info(one_auth, -3, -1, -1, -1)
    except xmlrpc.client.Fault as e:
        logging.critical(e)
        sys.exit(1)

    # If the call succeeds, it returns a list with (true, xml)
    if resource[0] is False:
        logging.critical(resource[1])
        sys.exit(resource[2])

    # Good to go, parse
    xml = etree.fromstring(resource[1])

    for elem in xml.xpath('//VM_POOL/VM'):
        name = elem.xpath('.//NAME')[0].text
        owner = elem.xpath('.//UNAME')[0].text
        print("VM: {} - Owner: {}".format(name, owner))

if __name__ == '__main__':
    main()
	import base64
	import datetime
	import hashlib
	import logging
	import sys
	import xmlrpc.client

	from Crypto.Cipher import AES
	from lxml import etree

	BS = 16

	# Key is the password of serveradmin (plaintext)
	KEY = '74cf0e9a3c2b904e9c445771cdccb3e6ce3e4da7'
	SERVER = 'https://opennebula.mydomain/RPC2'


	class AESCipher:

	def __init__(self, key):
	self.key = hashlib.sha1(key.encode('utf-8')).hexdigest()[:32]

	def encrypt(self, raw):
	raw = self.pad(raw)
	iv = 16 * '\x00'
	_cipher = AES.new(self.key, AES.MODE_CBC, iv)
	return base64.b64encode(_cipher.encrypt(raw)).decode("utf-8")

	def decrypt(self, enc):
	_enc = base64.b64decode(enc)
	iv = 16 * '\x00'
	_cipher = AES.new(self.key, AES.MODE_CBC, iv)
	return self.unpad(_cipher.decrypt(_enc))

	@staticmethod
	def pad(s): return s + (BS - len(s) % BS) * chr(BS - len(s) % BS)

	@staticmethod
	def unpad(s): return s[:-ord(s[len(s) - 1:])]


	def get_proxy():
	return xmlrpc.client.ServerProxy(SERVER)


	def main():
	user = 'serveradmin'
	target_user = 'bob'

	# Generate a timestamp 1 hour in the future
	token_expiration = int((datetime.datetime.now() + datetime.timedelta(hours=1)).timestamp())

	token_txt = "{}:{}:{}".format(user, target_user, token_expiration)

	cipher = AESCipher(KEY)
	secret = cipher.encrypt(token_txt)

	one_auth = '{}:{}:{}'.format(user, target_user, secret)

	try:
	resource = get_proxy().one.vmpool.info(one_auth, -3, -1, -1, -1)
	except xmlrpc.client.Fault as e:
	logging.critical(e)
	sys.exit(1)

	# If the call succeeds, it returns a list with (true, xml)
	if resource[0] is False:
	logging.critical(resource[1])
	sys.exit(resource[2])

	# Good to go, parse
	xml = etree.fromstring(resource[1])

	for elem in xml.xpath('//VM_POOL/VM'):
	name = elem.xpath('.//NAME')[0].text
	owner = elem.xpath('.//UNAME')[0].text
	print("VM: {} - Owner: {}".format(name, owner))

	if __name__ == '__main__':
	main()