Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DEF CON 23 - Hijacking Arbitrary .NET Application Control Flow

Topher Timzen
August 09, 2015
Technology
0
76

DEF CON 23 - Hijacking Arbitrary .NET Application Control Flow

This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks.

This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.

Topher Timzen

August 09, 2015
Tweet

More Decks by Topher Timzen

See All by Topher Timzen
EDR Is Coming; Hide Yo Sh!t
tophertimzen
3
3.3k
A History of the BSidesPDX CTF
tophertimzen
1
110
Attack Infrastructure for the Modern Red Team
tophertimzen
2
1.2k
The Trials and Tribulations of Building Your Own CTF and Shooting Gallery
tophertimzen
1
140
ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications
tophertimzen
1
540
SecTor 2015 - Hijacking Arbitrary .NET Application Control Flow
tophertimzen
0
110

Other Decks in Technology

See All in Technology
Search Evolution - Keeping up with the hype?
spinscale
0
110
Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence
heirhabarov
1
480
ChatGPTとこころを整理してみる
nagauta
0
310
Антихрупкость в IT или как полюбить изменения
alexanderbyndyu
0
160
日浅流、 エンジニアリングマネージャーのしごと
takahia1988
0
110
Datadogで実現するセキュリティ オブザーバビリティ
taka2noda
1
130
「XIAOGYAN」への想い
matsujirushi
0
120
『AWSではじめるクラウドセキュリティ』の裏側を。
ryohatanmonolog
2
190
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
140
Vision.framework - 商品画像からのテキスト検出と並列化実装への試み
hcrane
0
200
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
850
サービスレベル管理とは?〜計測すべき指標と活用について/What is Service Level Management
newrelic2023
0
300

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
990
Building Flexible Design Systems
yeseniaperezcruz
315
35k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
16
5.8k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Side Projects
sachag
450
38k
Building Your Own Lightsaber
phodgson
96
5k
Making Projects Easy
brettharned
102
5k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.4k
Rails Girls Zürich Keynote
gr2m
89
12k
Raft: Consensus for Rubyists
vanstee
130
5.8k
YesSQL, Process and Tooling at Scale
rocio
158
13k

Transcript

  1. Hijacking Arbitrary .NET
    Application Control Flow
    Topher Timzen

    View Slide

  2. Security Researcher, Intel
    Security Trainer
    TopherTimzen.com
    @TTimzen
    #whoami

    View Slide

  3. Overview
    .NET?
    Runtime Attacks
    Modify Control Flow
    Machine Code Editing
    Managed Heap

    View Slide

  4. Tools Released
    Use .NET to attack
    Using Objects on the Heap
    Why are we Here?

    View Slide

  5. CLR Attacks
    Controlling the Common Language
    Runtime
    Accessing raw objects on Managed Heap
    Manipulate AppDomains
    • Controlling all Loaded Code
    • Controlling Just-In-Time Compilation

    View Slide

  6. Attack With ASM
    Manipulate Resources
    Attack methods at ASM level
    Alter application control flow

    View Slide

  7. Runtime
    .NET Process
    CLR (2.0/4.0) & AppDomains
    Assemblies (.EXE and .DLL(s))
    Objects
    Properties
    Fields
    Instance Methods
    Classes
    Methods
    Logic

    View Slide

  8. Gray Frost
    &
    Gray Storm
    The Tools

    View Slide

  9. Gray Frost

    View Slide

  10. Gray Frost
    Payload delivery system
    C++ .NET CLR Bootstrapper
    Creates or injects 4.0 runtime
    Capability to pivot into 2.0 runtime
    Contains raw payload
    2 Rounds
    GrayFrostCpp
    GrayFrostCSharp
    • C# Payload

    View Slide

  11. Round 1
    .NET Process

    View Slide

  12. Round 1
    Mscoree
    GrayFrostCpp

    View Slide

  13. Round 1
    GrayFrostCpp

    View Slide

  14. Round 1
    GrayFrostCSharp
    GrayFrostCpp

    View Slide

  15. Round 2
    .NET Process

    View Slide

  16. Round 2
    .NET Process
    GrayFrostCSharp

    View Slide

  17. Round 2
    .NET Process
    payload void
    main()
    GrayFrostCSharp

    View Slide

  18. Round 2
    .NET Process
    Payload

    View Slide

  19. .NET Process
    Pivoting Between runtimes

    View Slide

  20. Mscoree
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  21. GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  22. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  23. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  24. GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  25. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  26. GrayFrostCSharp
    GrayFrostCpp
    Pivoting Between runtimes

    View Slide

  27. Gray Storm

    View Slide

  28. Gray Storm
    Reconnaissance and In-memory attack
    payload
    Features
    Attacking the .NET JIT
    Attacking .NET at the ASM level
    ASM and Metasploit payloads
    Utilize objects on the Managed Heap

    View Slide

  29. Gray Storm Usage

    View Slide

  30. Controlling the JIT
    Method Tables contain address of JIT
    stub for a class’s methods.
    During JIT the Method Table is referenced
    We can control the address
    Lives after Garbage Collection

    View Slide

  31. Controlling the JIT

    View Slide

  32. Controlling the JIT

    View Slide

  33. Control Flow Attacks
    .NET uses far and relative calls
    0xE8; Call [imm]
     0xFF 0x15; Call dword
    segmentRegister[imm]
    relCall = dstAddress - (currentLocation+ lenOfCall)

    View Slide

  34. ASM Payloads
    Address of a method known through
    Reflection
    Overwrite method logic with new ASM
    Steal stack parameters
    Change events

    View Slide

  35. ASM Payloads
    Change return TRUE to return FALSE
    Password validation
    Key & Licensing validation
    SQL Sanitization
    Destroy security Mechanisms
    Overwrite logic
    Update Mechanisms

    View Slide

  36. ASM Payloads

    View Slide

  37. ASM Payloads
    Metasploit
    Hand Rolled
    Portable Environment Block (PEB) changes

    View Slide

  38. Portable Environment Block
    http://www.tophertimzen.com/blog/shellcodeDotNetPEB/

    View Slide

  39. Object Hunting in Memory

    View Slide

  40. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects

    View Slide

  41. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects
    Let’s manipulate it!

    View Slide

  42. Object Hunting in Memory
    Objects are IntPtrs
    Point to Object Instance on Managed Heap
    All instantiated objects of the same class share
    the same Method Table
    Reflection Object Hunting
    Win

    View Slide

  43. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  44. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  45. Construct an Object
    Use Reflection to invoke a constructor
    Can instantiate any object
    If a constructor takes other objects,
    nullify them
    https://gist.github.com/tophertimzen/010b19fdbde77f251414

    View Slide

  46. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  47. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    Managed Heap
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  48. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    IntPtr = 5
    STACK
    024e9fe8 (Object)
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  49. IntPtr = 024e9fe8
    024e9fe8 (Object)
    00000005
    00000001
    00000000
    STACK
    L
    H
    https://gist.github.com/tophertimzen/812aa20dbe23cb42756d
    Find location of Managed Heap

    View Slide

  50. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  51. Signature instantiated type
    Object Instances contain a Method Table
    pointer to their corresponding type.
    (x86)
    Bytes 0-3 are the Method Table (MT)
    Bytes 4-7 in MT is Instance Size
    0:009> dd 024e9fe8
    024e9fe8 00774828 0000038c 00000001 00000000

    View Slide

  52. Signature instantiated type
    Object Instances contain a Method Table
    pointer to their corresponding type.
    (x64)
    Bytes 0-7 are the Method Table (MT)
    Bytes 8-11 in MT is Instance Size
    0:008> dd 00000000024e9fe8
    00000000`0286b8e0 ea774828 000007fe

    View Slide

  53. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  54. Scan Managed Heap
    Scan down incrementing by size of object
    Scan linearly up to top of heap
    Compare object’s Method Table to the
    reference
    If they match, get IntPtr address of object

    View Slide

  55. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  56. Convert object ptr -> raw obj
    STACK
    Refer (System.IntPtr)
    pointer(024ea00c )
    pointer(024ea00c )
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  57. Convert object ptr -> raw obj
    STACK
    Refer (System.IntPtr)
    pointer(024ea00c )
    pointer(024ea00c )
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  58. Convert object ptr -> raw obj
    Refer (GrayStorm.testClass)
    pointer(024ea00c )
    STACK
    L
    H
    https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b

    View Slide

  59. Finding Objects at Runtime
    i. Construct an object and find location
    of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object pointers
    iv. Convert object pointers to raw objects
    v. ????
    vi. PROFIT

    View Slide

  60. ????

    View Slide

  61. PROFIT

    View Slide

  62. Superpowers and Things?
    Change Keys
    Change Fields / Properties
    Call Methods
    With arguments!

    View Slide

  63. Automation

    View Slide

  64. Automation
    GrayFrost can be used with automated
    payloads

    View Slide

  65. Constructing Attack Chains

    View Slide

  66. How to construct attack chains
    Gray Wolf / IL Decompiler
     Find Methods, Fields & Properties of
    interest
     Locate meaningful objects
     Discover high level control flow
    Gray Storm “Debugging” functionality
     Breakpoint at constructors or methods
    from Method Pointers
     Use with WinDbg
    Utilize DLL Hijacking!

    View Slide

  67. Hybrid .NET/ASM Attacks
    Hybrid C#/ASM code in .NET
    Encrypting .NET payloads and
    unwinding
    Encrypting ASM Payloads

    View Slide

  68. Payload System
    C# is easy
    Can use Gray Frost in any
    application
    Low and High level gap is easy

    View Slide

  69. .NET Hacking Space
    Small
    Few tools
    Mostly hacking WoW
    Lots of PowerShell
    Previous DEF CON talks
    DEF CON 18 & 19 - Jon McCoy

    View Slide

  70. Conclusion
    Arbitrary .NET applications can
    be injected and changed
    New .NET attack possibilities
    New tools that support
    automation
    Get Gray Frost and Storm
    github.com/graykernel

    View Slide

  71. Questions?
    Contact Me
    @TTimzen
    https://www.tophertimzen.com
    Get Gray Frost and Storm
    github.com/graykernel
    White Papers
    Hijacking Arbitrary .NET Application Control Flow
    Acquiring .NET Objects from the Managed Heap

    View Slide