Class: Msf::Exploit::Remote::Pkcs12::Storage

Inherits:

Object

• Object
• Msf::Exploit::Remote::Pkcs12::Storage

Includes:

Auxiliary::Report

Defined in:

lib/msf/core/exploit/remote/pkcs12/storage.rb

Instance Attribute Summary

• #framework ⇒ Object readonly

  Returns the value of attribute framework.

• #framework_module ⇒ Object readonly

  Returns the value of attribute framework_module.

Instance Method Summary

• #activate(ids:) ⇒ Array<StoredPkcs12>

  Mark Pkcs12(s) as active.

• #deactivate(ids:) ⇒ Array<StoredPkcs12>

  Mark Pkcs12(s) as inactive.

• #delete(options = {}) ⇒ Object
• #filter_pkcs12(options) ⇒ Array<Metasploit::Credential::Core>

  Return the raw stored pkcs12.

• #initialize(framework: nil, framework_module: nil) ⇒ Storage constructor

  A new instance of Storage.

• #pkcs12(options = {}, &block) ⇒ Array<StoredPkcs12>

  Get stored pkcs12 matching the options query.

• #read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil) ⇒ Object
• #workspace ⇒ String

  The name of the workspace in which to operate.

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Constructor Details

#initialize(framework: nil, framework_module: nil) ⇒ Storage

Returns a new instance of Storage.

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 14

def initialize(framework: nil, framework_module: nil)
  @framework = framework || framework_module&.framework
  @framework_module = framework_module
end

Instance Attribute Details

#framework ⇒ Object (readonly)

Returns the value of attribute framework.

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 8

def framework
  @framework
end

#framework_module ⇒ Object (readonly)

Returns the value of attribute framework_module.

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 12

def framework_module
  @framework_module
end

Instance Method Details

#activate(ids:) ⇒ Array<StoredPkcs12>

Mark Pkcs12(s) as active

Parameters:

• ids (Array<Integer>) —

  The list of pkcs12 IDs.

Returns:

• (Array<StoredPkcs12>)

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 148

def activate(ids:)
  set_status(ids: ids, status: 'active')
end

#deactivate(ids:) ⇒ Array<StoredPkcs12>

Mark Pkcs12(s) as inactive

Parameters:

• ids (Array<Integer>) —

  The list of pkcs12 IDs.

Returns:

• (Array<StoredPkcs12>)

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 140

def deactivate(ids:)
  set_status(ids: ids, status: 'inactive')
end

#delete(options = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 114

def delete(options = {})
  if options.keys == [:ids]
    # skip calling #filter_pkcs12 which issues a query when the IDs are specified
    ids = options[:ids]
  else
    ids = filter_pkcs12(options).map(&:id)
  end

  framework.db.delete_credentials(ids: ids).map do |stored_pkcs12|
    StoredPkcs12.new(stored_pkcs12)
  end
end

#filter_pkcs12(options) ⇒ Array<Metasploit::Credential::Core>

Return the raw stored pkcs12.

Parameters:

• options (Hash) —

  See the options hash description in #pkcs12.

Returns:

• (Array<Metasploit::Credential::Core>)

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 68

def filter_pkcs12(options)
  return [] unless active_db?

  filter = {}
  filter[:id] = options[:id] if options[:id].present?

  creds = framework.db.creds(
    workspace: options.fetch(:workspace) { workspace },
    type: 'Metasploit::Credential::Pkcs12',
    **filter
  ).select do |cred|
    # this is needed since if a filter is provided (e.g. `id:`) framework.db.creds will ignore the type:
    next false unless cred.private.type == 'Metasploit::Credential::Pkcs12'

    if options[:username].present?
      next false if options[:username].casecmp(cred.public.username) != 0
    end

    if options[:realm].present? && cred.realm
      next false if options[:realm].casecmp(cred.realm.value) != 0
    end

    if options[:status].present?
      # If status is not set on the credential, considere it is `active`
      status = cred.private.status || 'active'
      next false if status != options[:status]
    end

    cert = cred.private.openssl_pkcs12.certificate
    unless Time.now.between?(cert.not_before, cert.not_after)
      ilog("[filter_pkcs12] Found a matching certificate but it has expired")
      next false
    end

    if options[:tls_auth]
      eku = cert.extensions.select { |c| c.oid == 'extendedKeyUsage' }.first
      unless eku&.value.include?('TLS Web Client Authentication')
        ilog("[filter_pkcs12] Found a matching certificate but it doesn't have the 'TLS Web Client Authentication' EKU")
        next false
      end
    end

    true
  end
end

#pkcs12(options = {}, &block) ⇒ Array<StoredPkcs12>

Get stored pkcs12 matching the options query.

Parameters:

• options (Hash) (defaults to: {}) —

  The options for matching pkcs12’s.

Options Hash (options):

• :id (Integer, Array<Integer>) —

  The identifier of the pkcs12 (optional)

• :realm (String) —

  The realm of the pkcs12 (optional)

• :username (String) —

  The username of the pkcs12 (optional)

Returns:

• (Array<StoredPkcs12>)

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 52

def pkcs12(options = {}, &block)
  stored_pkcs12_array = filter_pkcs12(options).map do |pkcs12_entry|
    StoredPkcs12.new(pkcs12_entry)
  end

  stored_pkcs12_array.each do |stored_pkcs12|
    block.call(stored_pkcs12) if block_given?
  end

  stored_pkcs12_array
end

#read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil) ⇒ Object

Parameters:

• cert_path (String) —

  A path to the file system where a pkcs12 cert is located, or a reference to a core database i.e., “id:123”

• cert_pass (String) (defaults to: '') —

  The certificate password

• workspace (String) (defaults to: nil) —

  The workspace to restrict searches to

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 22

def read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil)
  if cert_path&.start_with?('id:')
    core = framework.db.creds({ workspace: workspace, id: cert_path.delete_prefix('id:') }).first
    raise Msf::ValidationError, 'Invalid cert id provided' unless core
    raise Msf::ValidationError, 'Invalid cert id provided - not a pkcs12 credential' unless core.private.type == 'Metasploit::Credential::Pkcs12'

    data = Base64.decode64(core.private.data)
  else
    is_readable = ::File.file?(cert_path) && ::File.readable?(cert_path)
    raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.' unless is_readable
    data = File.binread(cert_path)
  end

  begin
    # TODO: Is it possible to read the cert pass from the db?
    pkcs12 = OpenSSL::PKCS12.new(data, cert_pass)
  rescue StandardError => e
    raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
  end

  { path: cert_path, value: pkcs12 }
end

#workspace ⇒ String

Returns The name of the workspace in which to operate.

Returns:

• (String) —

  The name of the workspace in which to operate.

# File 'lib/msf/core/exploit/remote/pkcs12/storage.rb', line 128

def workspace
  if @framework_module
    return @framework_module.workspace
  elsif @framework&.db&.active
    return @framework.db.workspace&.name
  end
end