This ruby script can be used to spoof a legit certificate authority and generat a certificate that will be considered valid for Windows computer affected by the CurveBall vulnerability.
You need to get a certificate comming from the certificate authority you want to spoof.
Then, you can run the script with the following command :
ruby gen-rogue-cert.rb -in=ca.crt -subj="/C=France/ST=IleDeFrance/L=Paris/O=YoannDqr" -out=cert_rb.p12 -exe=DoNotDebugMe.exe -sh -type=exe -sh | bash
The script can be used to generate signed PE as well as TLS servers.
-
-in : mandatory ; path to the trusted CA cert to spoof
-
-out : mandatory ; path to store the generated certificate
-
-type : mandatory ; can be 'exe' for code signing certificate or 'tls' for server and client authentication certificate
-
-exe : optionnal ; name of the executable to sign
-
-subj : optional ; subject of the generated cert
-
-sh : flag optional ; return only the bash command needed to use the certificate (ex : command line to sign an executable)
The script is based on the ruby OpenSSL library https://github.com/ruby/openssl.
It will generate a fake CA from the public key found in the inputed certificate. Then, it will generate a certificate signing request and signs it with the fake CA certificate. The certificate will be packed in a pcks12 file and saved on your computer.
To add features as generating TLS certificates, just modify extensions of the certificate generated from the certificate signing request.
- Code signing :
csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'codeSigning')) - TLS certificate :
csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'serverAuth, clientAuth'))