Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DEF CON 23 - Hijacking Arbitrary .NET Applicati...

Avatar for Topher Timzen Topher Timzen
August 09, 2015
Technology
0
100

DEF CON 23 - Hijacking Arbitrary .NET Application Control Flow

This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks.

This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.
Avatar for Topher Timzen

Topher Timzen

August 09, 2015
Tweet

More Decks by Topher Timzen

See All by Topher Timzen
EDR Is Coming; Hide Yo Sh!t
Avatar for Topher Timzen tophertimzen
3
11k
A History of the BSidesPDX CTF
Avatar for Topher Timzen tophertimzen
1
250
Attack Infrastructure for the Modern Red Team
Avatar for Topher Timzen tophertimzen
3
2k
The Trials and Tribulations of Building Your Own CTF and Shooting Gallery
Avatar for Topher Timzen tophertimzen
1
230
ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications
Avatar for Topher Timzen tophertimzen
2
810
SecTor 2015 - Hijacking Arbitrary .NET Application Control Flow
Avatar for Topher Timzen tophertimzen
0
140

Other Decks in Technology

See All in Technology
Cursorをチョッパヤインタビューライターにチューニングする方法 / how to tuning cursor for interview write
Avatar for ShuzoN shuzon
2
220
Azure & DevSecOps
Avatar for KAMEGAWA Kazushi kkamegawa
2
180
2025年8月から始まるAWS Lambda INITフェーズ課金/AWS Lambda INIT phase billing changes
Avatar for quiver quiver
1
1k
MagicPodが描くAIエージェント戦略とソフトウェアテストの未来
Avatar for MagicPod magicpod
0
220
LLM アプリケーションのためのクラウドセキュリティ - CSPM の実装ポイント-
Avatar for KINTOテクノロジーズ Osaka Tech Lab osakatechlab
0
410
SaaS公式MCPサーバーをリリースして得た学び
Avatar for ryo kawamataryo
4
1.2k
Sleep-time Compute: LLM推論コスト削減のための事前推論
Avatar for sergicalsix sergicalsix
1
130
激動の一年を通じて見えてきた「技術でリードする」ということ
Avatar for ktr ktr_0731
5
4.1k
CARTA HOLDINGS エンジニア向け 採用ピッチ資料 / CARTA-GUIDE-for-Engineers
Avatar for CARTA Engineering carta_engineering
0
27k
試作とデモンストレーション / Prototyping and Demonstrations
Avatar for Kenji Saito ks91
PRO
0
130
Ruby on Rails の楽しみ方
Avatar for morihirok morihirok
2
540
DynamoDB のデータを QuickSight で可視化する際につまづいたこと/stumbling-blocks-when-visualising-dynamodb-with-quicksight
Avatar for emi emiki
0
150

Featured

See All Featured
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
23
1.6k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
68
11k
Side Projects
Avatar for Sacha Greif sachag
453
42k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
53
11k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
523
40k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.2k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
276
23k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
160
15k

Transcript

  1. Hijacking Arbitrary .NET Application Control Flow Topher Timzen

  2. Security Researcher, Intel Security Trainer TopherTimzen.com @TTimzen #whoami

  3. Overview .NET? Runtime Attacks Modify Control Flow Machine Code Editing

    Managed Heap

  4. Tools Released Use .NET to attack Using Objects on the

    Heap Why are we Here?

  5. CLR Attacks Controlling the Common Language Runtime Accessing raw objects

    on Managed Heap Manipulate AppDomains • Controlling all Loaded Code • Controlling Just-In-Time Compilation

  6. Attack With ASM Manipulate Resources Attack methods at ASM level

    Alter application control flow

  7. Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

    .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic

  8. Gray Frost & Gray Storm The Tools

  9. Gray Frost

  10. Gray Frost Payload delivery system C++ .NET CLR Bootstrapper Creates

    or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp • C# Payload

  11. Round 1 .NET Process

  12. Round 1 Mscoree GrayFrostCpp

  13. Round 1 GrayFrostCpp

  14. Round 1 GrayFrostCSharp GrayFrostCpp

  15. Round 2 .NET Process

  16. Round 2 .NET Process GrayFrostCSharp

  17. Round 2 .NET Process payload void main() GrayFrostCSharp

  18. Round 2 .NET Process Payload

  19. .NET Process Pivoting Between runtimes

  20. Mscoree GrayFrostCpp Pivoting Between runtimes

  21. GrayFrostCpp Pivoting Between runtimes

  22. GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes

  23. GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes

  24. GrayFrostCpp Pivoting Between runtimes

  25. GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes

  26. GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes

  27. Gray Storm

  28. Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level ASM and Metasploit payloads Utilize objects on the Managed Heap

  29. Gray Storm Usage

  30. Controlling the JIT Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address Lives after Garbage Collection

  31. Controlling the JIT

  32. Controlling the JIT

  33. Control Flow Attacks .NET uses far and relative calls 0xE8;

    Call [imm]  0xFF 0x15; Call dword segmentRegister[imm] relCall = dstAddress - (currentLocation+ lenOfCall)

  34. ASM Payloads Address of a method known through Reflection Overwrite

    method logic with new ASM Steal stack parameters Change events

  35. ASM Payloads Change return TRUE to return FALSE Password validation

    Key & Licensing validation SQL Sanitization Destroy security Mechanisms Overwrite logic Update Mechanisms

  36. ASM Payloads

  37. ASM Payloads Metasploit Hand Rolled Portable Environment Block (PEB) changes

  38. Portable Environment Block http://www.tophertimzen.com/blog/shellcodeDotNetPEB/

  39. Object Hunting in Memory

  40. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects

  41. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects Let’s manipulate it!

  42. Object Hunting in Memory Objects are IntPtrs Point to Object

    Instance on Managed Heap All instantiated objects of the same class share the same Method Table Reflection Object Hunting Win

  43. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  44. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  45. Construct an Object Use Reflection to invoke a constructor Can

    instantiate any object If a constructor takes other objects, nullify them https://gist.github.com/tophertimzen/010b19fdbde77f251414

  46. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find location of Managed Heap

  47. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK Managed Heap 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find location of Managed Heap

  48. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find location of Managed Heap

  49. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 STACK L

    H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find location of Managed Heap

  50. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  51. Signature instantiated type Object Instances contain a Method Table pointer

    to their corresponding type. (x86) Bytes 0-3 are the Method Table (MT) Bytes 4-7 in MT is Instance Size 0:009> dd 024e9fe8 024e9fe8 00774828 0000038c 00000001 00000000

  52. Signature instantiated type Object Instances contain a Method Table pointer

    to their corresponding type. (x64) Bytes 0-7 are the Method Table (MT) Bytes 8-11 in MT is Instance Size 0:008> dd 00000000024e9fe8 00000000`0286b8e0 ea774828 000007fe

  53. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  54. Scan Managed Heap Scan down incrementing by size of object

    Scan linearly up to top of heap Compare object’s Method Table to the reference If they match, get IntPtr address of object

  55. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  56. Convert object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c

    ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

  57. Convert object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c

    ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

  58. Convert object ptr -> raw obj Refer (GrayStorm.testClass) pointer(024ea00c )

    STACK L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

  59. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects v. ???? vi. PROFIT

  60. ????

  61. PROFIT

  62. Superpowers and Things? Change Keys Change Fields / Properties Call

    Methods With arguments!

  63. Automation

  64. Automation GrayFrost can be used with automated payloads

  65. Constructing Attack Chains

  66. How to construct attack chains Gray Wolf / IL Decompiler

     Find Methods, Fields & Properties of interest  Locate meaningful objects  Discover high level control flow Gray Storm “Debugging” functionality  Breakpoint at constructors or methods from Method Pointers  Use with WinDbg Utilize DLL Hijacking!

  67. Hybrid .NET/ASM Attacks Hybrid C#/ASM code in .NET Encrypting .NET

    payloads and unwinding Encrypting ASM Payloads

  68. Payload System C# is easy Can use Gray Frost in

    any application Low and High level gap is easy

  69. .NET Hacking Space Small Few tools Mostly hacking WoW Lots

    of PowerShell Previous DEF CON talks DEF CON 18 & 19 - Jon McCoy

  70. Conclusion Arbitrary .NET applications can be injected and changed New

    .NET attack possibilities New tools that support automation Get Gray Frost and Storm github.com/graykernel

  71. Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm

    github.com/graykernel White Papers Hijacking Arbitrary .NET Application Control Flow Acquiring .NET Objects from the Managed Heap