SecTor 2015 - Hijacking Arbitrary .NET Application Control Flow

SecTor 2015 - Hijacking Arbitrary .NET Application Control Flow

This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks.

This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.

3f6d5df0335e9904e588f10c50295597?s=128

Topher Timzen

October 21, 2015
Tweet

Transcript

  1. Hijacking Arbitrary .NET Application Control Flow Topher Timzen

  2. Topher Timzen Security Researcher, Intel Security Trainer @TTimzen TopherTimzen.com #whoami

  3. Overview .NET? Runtime Attacks Modify Control Flow Machine Code Editing

    Managed Heap
  4. Tools Released Use .NET to attack Using Objects on the

    Heap Why are we Here?
  5. CLR Attacks Controlling the Common Language Runtime Accessing raw objects

    on Managed Heap Manipulate AppDomains • Controlling all Loaded Code • Controlling Just-In-Time Compilation
  6. Attack With ASM Manipulate Resources Attack methods at ASM level

    Alter application control flow
  7. Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

    .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic
  8. Gray Frost & Gray Storm The Tools

  9. Gray Frost

  10. Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload
  11. Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp • C# Payload
  12. Gray Frost Payload delivery system Memory-resident Attack C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp • C# Payload
  13. Round 1 .NET Process

  14. Round 1 Mscoree GrayFrostCpp

  15. Round 1 GrayFrostCpp

  16. Round 1 GrayFrostCSharp GrayFrostCpp

  17. Round 2 .NET Process

  18. Round 2 .NET Process GrayFrostCSharp

  19. Round 2 .NET Process payload void main() GrayFrostCSharp

  20. Round 2 .NET Process Payload

  21. .NET Process Pivoting Between Runtimes

  22. Mscoree GrayFrostCpp Pivoting Between Runtimes

  23. GrayFrostCpp Pivoting Between Runtimes

  24. GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

  25. GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

  26. GrayFrostCpp Pivoting Between Runtimes

  27. GrayFrostCSharp GrayFrostCpp Pivoting Between Runtimes

  28. Gray Storm

  29. Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level ASM and Metasploit payloads Utilize objects on the Managed Heap
  30. Gray Storm Usage

  31. Controlling the JIT Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address Lives after Garbage Collection
  32. Controlling the JIT

  33. Controlling the JIT

  34. Controlling the JIT

  35. Control Flow Attacks .NET uses far and relative calls 0xE8;

    Call [imm] (x86)  0xFF 0x15; Call dword segmentRegister[imm] (x86) relCall = dstAddress - (currentLocation+ lenOfCall)
  36. ASM Payloads Address of a method known through Reflection Overwrite

    method logic with new ASM Steal stack parameters Change events
  37. ASM Payloads Change return TRUE to return FALSE Password validation

    Key & Licensing validation SQL Sanitization Destroy security Mechanisms Overwrite logic Update Mechanisms
  38. ASM Payloads

  39. ASM Payloads Metasploit Hand Rolled Portable Environment Block (PEB) changes

  40. Portable Environment Block http://www.tophertimzen.com/blog/shellcodeDotNetPEB/

  41. Object Hunting in Memory

  42. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects
  43. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects Let’s manipulate it!
  44. Structure

  45. Structure Example System.Double

  46. Object Hunting in Memory Objects are IntPtrs Point to Object

    Instance on Managed Heap All instantiated objects of the same class share the same Method Table Reflection Object Hunting Win
  47. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  48. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  49. Construct an Object Use Reflection to invoke a constructor Can

    instantiate any object • Being mindful that some constructors can invoke a lot of code If a constructor takes other objects, nullify them https://gist.github.com/tophertimzen/010b19fdbde77f251414
  50. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap
  51. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK Managed Heap 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap
  52. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 IntPtr =

    5 STACK 024e9fe8 (Object) L H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap
  53. IntPtr = 024e9fe8 024e9fe8 (Object) 00000005 00000001 00000000 STACK L

    H https://gist.github.com/tophertimzen/812aa20dbe23cb42756d Find Location of Managed Heap
  54. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  55. Signature Instantiated Type Object Instances contain a Method Table pointer

    to their corresponding type. (x86) Bytes 0-3 are the Method Table (MT) Bytes 4-7 in MT is Instance Size 0:009> dd 024e9fe8 024e9fe8 00774828 0000038c 00000001 00000000
  56. Signature Instantiated Type Object Instances contain a Method Table pointer

    to their corresponding type. (x64) Bytes 0-7 are the Method Table (MT) Bytes 8-11 in MT is Instance Size 0:008> dd 00000000024e9fe8 00000000`0286b8e0 ea774828 000007fe
  57. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  58. Scan Managed Heap Scan down incrementing by size of object

    Scan linearly up to top of heap Compare object’s Method Table to the reference If they match, get IntPtr address of object
  59. Scan Managed Heap Scan down incrementing by size of object

    Scan linearly up to top of heap Compare object’s Method Table to the reference If they match, get IntPtr address of object Use ASM!
  60. Using ASM! GrayStorm/objectHunter

  61. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  62. Convert Object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c

    ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b
  63. Convert Object ptr -> raw obj STACK Refer (System.IntPtr) pointer(024ea00c

    ) pointer(024ea00c ) L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b
  64. Convert Object ptr -> raw obj Refer (GrayStorm.testClass) pointer(024ea00c )

    STACK L H https://gist.github.com/tophertimzen/1da2b0aab6245ed1c27b
  65. DEMO

  66. WIN.RAR

  67. Superpowers and Things? Change Keys Change Fields / Properties Call

    Methods With arguments!
  68. Automation

  69. Automation GrayFrost can be used with automated payloads

  70. Automations == <3

  71. Constructing Attack Chains

  72. How to construct attack chains Gray Wolf / IL Decompiler

     Find Methods, Fields & Properties of interest  Locate meaningful objects  Discover high level control flow Gray Storm “Debugging” functionality  Breakpoint at constructors or methods from Method Pointers  Use with WinDbg Utilize DLL Hijacking!
  73. Hybrid .NET/ASM Attacks Hybrid C#/ASM code in .NET Encrypting .NET

    payloads and unwinding Encrypting ASM Payloads
  74. Payload System C# is easy Can use Gray Frost in

    any application Low and High level gap is easy
  75. .NET Hacking Space Small Few tools Mostly hacking WoW Lots

    of PowerShell Lots of decompilers and not many attackers!
  76. Conclusion Arbitrary .NET applications can be injected and changed New

    .NET attack possibilities New tools that support automation Get Gray Frost and Storm github.com/graykernel
  77. Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm

    github.com/graykernel White Papers Hijacking Arbitrary .NET Application Control Flow Acquiring .NET Objects from the Managed Heap