CurveBall CVE exploitation# CVE-2020-0601 : CurveBall CVE exploitation
This ruby script can be used to spoof a legit certificate authority and generat a certificate that will be considered valid for Windows computer affected by the CurveBall vulnerability.
You need to get a certificate comming from the certificate authority you want to spoof.
Then, you can run the script with the following command :
`ruby gen-rogue-cert.rb -in=ca.crt -subj="/C=France/ST=IleDeFrance/L=Paris/O=YoannDqr" -out=cert_rb.p12 -exe=DoNotDebugMe.exe -sh -type=exe -sh | bash`
The script can be used to generate signed PE as well as TLS servers.
## List of options
- -in : mandatory ; path to the trusted CA cert to spoof
- -out : mandatory ; path to store the generated certificate
- -type : mandatory ; can be 'exe' for code signing certificate or 'tls' for server and client authentication certificate
- -exe : optionnal ; name of the executable to sign
- -subj : optional ; subject of the generated cert
- -sh : flag optional ; return only the bash command needed to use the certificate (ex : command line to sign an executable)
## Technologies Used ##
The script is based on the ruby OpenSSL library https://github.com/ruby/openssl.
It will generate a fake CA from the public key found in the inputed certificate.
Then, it will generate a certificate signing request and signs it with the fake CA certificate.
The certificate will be packed in a pcks12 file and saved on your computer.
To add features as generating TLS certificates, just modify extensions of the certificate generated from the certificate signing request.
- Code signing : `csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'codeSigning'))`
- TLS certificate : `csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'serverAuth, clientAuth'))`
[4.0K] /data/pocs/51d4c4b80f9a43cd58d9e412f494e97a024ba44c
├── [1.1K] ca.crt
├── [5.7K] gen-rogue-cert.rb
└── [1.8K] README.md
0 directories, 3 files