Slide 1

Slide 1 text

Hijacking Arbitrary .NET Application Control Flow Topher Timzen

Slide 2

Slide 2 text

Topher Timzen Security Researcher, Intel Security Trainer @TTimzen TopherTimzen.com #whoami

Slide 3

Slide 3 text

Overview .NET? Runtime Attacks Modify Control Flow Machine Code Editing Managed Heap

Slide 4

Slide 4 text

Tools Released Use .NET to attack Using Objects on the Heap Why are we Here?

Slide 5

Slide 5 text

CLR Attacks Controlling the Common Language Runtime Accessing raw objects on Managed Heap Manipulate AppDomains • Controlling all Loaded Code • Controlling Just-In-Time Compilation

Slide 6

Slide 6 text

Attack With ASM Manipulate Resources Attack methods at ASM level Alter application control flow

Slide 7

Slide 7 text

Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic

Slide 8

Slide 8 text

Gray Frost & Gray Storm The Tools

Slide 9

Slide 9 text

Gray Frost

Slide 10

Slide 10 text

Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload

Slide 11

Slide 11 text

Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp • C# Payload

Slide 12

Slide 12 text

Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp • C# Payload

Slide 13

Slide 13 text

Round 1 .NET Process

Slide 14

Slide 14 text

Round 1 Mscoree GrayFrostCpp

Slide 15

Slide 15 text

Round 1 GrayFrostCpp

Slide 16

Slide 16 text

Round 1 GrayFrostCSharp GrayFrostCpp

Slide 17

Slide 17 text

Round 2 .NET Process

Slide 18

Slide 18 text

Round 2 .NET Process GrayFrostCSharp

Slide 19

Slide 19 text

Round 2 .NET Process payload void main() GrayFrostCSharp

Slide 20

Slide 20 text

Round 2 .NET Process Payload

Slide 21

Slide 21 text

.NET Process Pivoting Between Runtimes

Slide 22

Slide 22 text

Mscoree GrayFrostCpp Pivoting Between Runtimes

Slide 23

Slide 23 text

GrayFrostCpp Pivoting Between Runtimes

Slide 24

Slide 24 text

GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

Slide 25

Slide 25 text

GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

Slide 26

Slide 26 text

GrayFrostCpp Pivoting Between Runtimes

Slide 27

Slide 27 text

GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

Slide 28

Slide 28 text

Gray Storm

Slide 29

Slide 29 text

Gray Storm Reconnaissance and In-memory attack payload Features Attacking the .NET JIT Attacking .NET at the ASM level ASM and Metasploit payloads Utilize objects on the Managed Heap

Slide 30

Slide 30 text

Gray Storm Usage

Slide 31

Slide 31 text

Controlling the JIT Method Tables contain address of JIT stub for a class’s methods. During JIT the Method Table is referenced We can control the address Lives after Garbage Collection

Slide 32

Slide 32 text

Controlling the JIT

Slide 33

Slide 33 text

Controlling the JIT

Slide 34

Slide 34 text

Controlling the JIT

Slide 35

Slide 35 text

Control Flow Attacks .NET uses far and relative calls 0xE8; Call [imm] (x86)  0xFF 0x15; Call dword segmentRegister[imm] (x86) relCall = dstAddress - (currentLocation+ lenOfCall)

Slide 36

Slide 36 text

ASM Payloads Address of a method known through Reflection Overwrite method logic with new ASM Steal stack parameters Change events

Slide 37

Slide 37 text

ASM Payloads Change return TRUE to return FALSE Password validation Key & Licensing validation SQL Sanitization Destroy security Mechanisms Overwrite logic Update Mechanisms

Slide 38

Slide 38 text

ASM Payloads

Slide 39

Slide 39 text

ASM Payloads Metasploit Hand Rolled Portable Environment Block (PEB) changes

Slide 40

Slide 40 text

Portable Environment Block http://www.tophertimzen.com/blog/shellcodeDotNetPEB/

Slide 41

Slide 41 text

Object Hunting in Memory

Slide 42

Slide 42 text

Managed Heap Storage point for .NET Objects New reference objects added to heap Garbage Collector removes dead objects

Slide 43

Slide 43 text

Managed Heap Storage point for .NET Objects New reference objects added to heap Garbage Collector removes dead objects Let’s manipulate it!

Slide 44

Slide 44 text

Structure

Slide 45

Slide 45 text

Structure Example System.Double

Slide 46

Slide 46 text

Object Hunting in Memory Objects are IntPtrs Point to Object Instance on Managed Heap All instantiated objects of the same class share the same Method Table Reflection Object Hunting Win

Slide 47

Slide 47 text

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects

Slide 48

Slide 48 text

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects

Slide 49

Slide 49 text

Construct an Object Use Reflection to invoke a constructor Can instantiate any object • Being mindful that some constructors can invoke a lot of code If a constructor takes other objects, nullify them https://gist.github.com/tophertimzen/010b19fdbde77f251414

Slide 50

Slide 50 text

IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr = 5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap

Slide 51

Slide 51 text

IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr = 5 STACK Managed Heap 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap

Slide 52

Slide 52 text

IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr = 5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap

Slide 53

Slide 53 text

IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 STACK L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap

Slide 54

Slide 54 text

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects

Slide 55

Slide 55 text

Signature Instantiated Type Object Instances contain a Method Table pointer to their corresponding type. (x86) Bytes 0-3 are the Method Table (MT) Bytes 4-7 in MT is Instance Size 0:009> dd 024e9fe8 024e9fe8 00774828 0000038c 00000001 00000000

Slide 56

Slide 56 text

Signature Instantiated Type Object Instances contain a Method Table pointer to their corresponding type. (x64) Bytes 0-7 are the Method Table (MT) Bytes 8-11 in MT is Instance Size 0:008> dd 00000000024e9fe8 00000000`0286b8e0 ea774828 000007fe

Slide 57

Slide 57 text

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects

Slide 58

Slide 58 text

Scan Managed Heap Scan down incrementing by size of object Scan linearly up to top of heap Compare object’s Method Table to the reference If they match, get IntPtr address of object

Slide 59

Slide 59 text

Scan Managed Heap Scan down incrementing by size of object Scan linearly up to top of heap Compare object’s Method Table to the reference If they match, get IntPtr address of object Use ASM!

Slide 60

Slide 60 text

Using ASM! GrayStorm/objectHunter

Slide 61

Slide 61 text

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects

Slide 62

Slide 62 text

Convert Object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

Slide 63

Slide 63 text

Convert Object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

Slide 64

Slide 64 text

Convert Object ptr -> raw obj Refer (GrayStorm.testClass) pointer(024ea00c ) STACK L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

Slide 65

Slide 65 text

DEMO

Slide 66

Slide 66 text

WIN.RAR

Slide 67

Slide 67 text

Superpowers and Things? Change Keys Change Fields / Properties Call Methods With arguments!

Slide 68

Slide 68 text

Automation

Slide 69

Slide 69 text

Automation GrayFrost can be used with automated payloads

Slide 70

Slide 70 text

Automations == <3

Slide 71

Slide 71 text

Constructing Attack Chains

Slide 72

Slide 72 text

How to construct attack chains Gray Wolf / IL Decompiler  Find Methods, Fields & Properties of interest  Locate meaningful objects  Discover high level control flow Gray Storm “Debugging” functionality  Breakpoint at constructors or methods from Method Pointers  Use with WinDbg Utilize DLL Hijacking!

Slide 73

Slide 73 text

Hybrid .NET/ASM Attacks Hybrid C#/ASM code in .NET Encrypting .NET payloads and unwinding Encrypting ASM Payloads

Slide 74

Slide 74 text

Payload System C# is easy Can use Gray Frost in any application Low and High level gap is easy

Slide 75

Slide 75 text

.NET Hacking Space Small Few tools Mostly hacking WoW Lots of PowerShell Lots of decompilers and not many attackers!

Slide 76

Slide 76 text

Conclusion Arbitrary .NET applications can be injected and changed New .NET attack possibilities New tools that support automation Get Gray Frost and Storm github.com/graykernel

Slide 77

Slide 77 text

Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm github.com/graykernel White Papers Hijacking Arbitrary .NET Application Control Flow Acquiring .NET Objects from the Managed Heap