Hello. Hi. I'm John McCoy and I'm going to be showing you how to attack.NET. Hello. So I
came up with a little bit of different stuff in.NET and just to kick it off as a preface, this is
one application. This is Ant's memory profiler from Redgate. This is Mandiant. This is InstantVB. This is
all one application. And this is kind of where I'm going to go in this speech. That this idea of
separate applications and other people's code being sacrosanct and you can't mess with it, that's
kind of different in.NET. So that's where I'm going in this. And close that out. And I reskinned
their application. That's what I'm going to get to. All right. So like I said, I'm John McCoy and
this is DojoCon. So ninja patching. Okay. So I'm going to cover going up against closed source
applications, tools to gain access into these that I wrote, show some vulnerable.NET applications
and show you some soft spots to go after when you're going up against someone else's program. So the
basic idea is you gain access to someone else's runtime memory. You gain access to their object
structure. You gain access to basically the instances in memory. Nice and easy. And then once
you do that, you take over the GUI, the logic and mess with the state of the program. That's kind
of where we get the you can do whatever you want. And this allows us to subvert the core logic
without necessarily introducing different code because we can affect the state of the program.
And then we can instantiate new things like, hey, now the program does something additional or we
reskinned it or whatever we want. So this is what you used to do when you wanted to change someone
else's program. You would fire up IDA Pro or some assembly level and you would go in there and you
would walk instructions and you would look at memory addresses and pointers. And this is really,
really cool. If you're going up against a 15 kilobyte and you're a single thread, you're not
too bad. If you're going up against a Microsoft, 2000 megabyte, 15 threads, you're going to come
up against some real problems when you're going in assembly. So hacking.net looks more like this.
You have objects that have names. You have variables. You have all the stuff that.net brings us.
And you don't have to go assembly. So this code will wipe out the events on any button that you
pointed at. So you get into someone else's application and you just wipe out what it does.
You could also reprogram it. This is what it looks like to do some fairly heavy lifting. This is
about as bad as it gets. And okay. So ninja patching, the idea came from monkey patching way back in
the day Java came out with monkey patching. You get in there. The basic idea is reflection.
Reflection allows you to look at an object and say, hey, what are you? I'm going to deal with you a
different way. It's in.net. It's in Java. It's going to be around because it's kind of the
inherent in the structure of it. Monkey patching originally was the idea that you wrote the
program and now your client wants you to do something a little different. You write around
wrapper. Now it does something a little different because you injected into it. This has been
around forever. And ninja patching is the same idea except for it's a little more offensive.
Instead of your upgrading your program, you're going to wait until the program authenticates with
the server. Every check has been done. And it's idling and everything's okay. And then you get
into the program and affect it however you want. And that's kind of the basic difference. These
are just terms that we're making up on the fly, of course. Okay. So you inject into your
application, add some easy tools up for doing that. You run a payload and then you modify it.
Okay. So just as a little background, the classic idea of a program is you have a program that
has a program, app domains, assemblies, modules, functions, functions, objects. This is kind of
what programmers think of a program. At runtime, people classically think of a process instead of
that. App domains, assemblies, classes. And again, this is how people typically think of
programs. And this doesn't work. Because when you're going up against a program at runtime, you
aren't dealing with a class structure. You're dealing with a GUI that has some event that goes
to some object. And this is what a program looks at runtime. And so these previous models just
don't work. You're not going to be worrying about what your object inherited from until you're
trying to override it and replace it. So when you come up against someone else's program, say
here happens to be my video application driver from ATI. So we can just drop right into this.
And this launched a payload inside of our target. This is just running inside of here now. And
these programs are essentially in the same memory space and can share everything. And so we can do
stuff like add buttons to it. We can just maybe tell a button to drag around. We can pretty much
do whatever we want to their application as if we were the original coder. So we can affect a
program pretty much as an original coder with very, very, very few lines of code. We're talking
about ten lines of code. So can't click on these buttons. Why not? So you can basically attain
full control of a program very easily. So easy to inject into someone else's program, nice and
stable, all that. And like I said, I threw these tools up on the net. They're available. Have at
it. Okay. So how do you get into your.NET application? I can go, I'm not going to go into
how injecting you can look at my code base online. But injecting is an easy way. It blows right
past AV, it blows right past everything, it gets you in. It's nice and easy. And you can basically
do it without worrying about affecting the program until you want to affect it. So good for ninja
patching. You can go up and you can affect the application on disk. So you go and you just inject
a few lines and say, hey, why don't you load my code? This hits it on disk. So you are leaving
forensics evidence. So if you inject it in memory, you're injecting it only in memory. This isn't
touching disk. So you don't have to worry about accidentally leaving some evidence behind that
you were tampering with it. Also there's injecting the framework itself. This is going up against
the Microsoft framework. You can just add code to it like you add code to any other executable.
So when someone does a to stream, you attack it. When someone opens up a sequel connection, you
do something different. Maybe you Twitter it. And again, this has the downside of going on disk.
So okay. In my research, I attacked this program and that program. And I found that visual
studios was fairly vulnerable being somewhat written in.net. So I thought it would be fun to
write a hey, visual studios, why don't we inject into you? But then I found that you actually don't
need to inject into visual studios because visual studios is happy to run code. So let's say you
download my application. You want to look at the source code. You come in here and you pull up a
form and you're like oh, okay. Oh, a box popped up. A box that instead of popping up could do
something else. But the basic idea is you have arbitrary code execution when you look at a form.
This is particularly dangerous if you're a coder. But just as a quick aside, so this form has an
infected image box on it. All it took to infect the image box was to add a couple of lines of code to
the constructor. When you look at the image box, the constructor fires. So accidentally told it yes,
so it's attacking visual studios. Okay. We'll drop back out of that. Okay. So visual studios,
Microsoft considers this a feature and they have no plans on fixing it. So I hope your A.D. scans
your code, right? So we'll say yeah. We'll load up a payload just like before. And so this, just as
a quick aside, this window is visual studios written in.net. This window is visual studios not
written in.net. So when we affect.net, we're affecting only.net modules. So you can write attacks
that work against. So again, we have arbitrary code execution in visual studios and it just goes and
attacks anything that it finds that's.net. And then you can just affect it arbitrarily. Okay. So
how does this work? How do you do this to someone else? All you do is you create a new user control
and then in the constructor of it you put your arbitrary code. And then when they look at that
arbitrary code on a form, it executes. They get attacked. So also you might think, okay, I'll go
and look at everything before I open individual studios. Like I'm not going to run it, of course,
but I'll at least look at it to make sure this hack isn't there. It turns out you can wipe all this
out and not recompile and they will still get attacked. So you can take this code out and it's
until they do a rebuild, they're still going to get attacked. And like I said, Microsoft came up
to me, I said, are you going to fix this? They said it's a feature. So I'm here telling you guys
and Microsoft will eventually take this seriously, I guess. So easy. I mean, you put it in the
constructor and that's it. You have a deployable ping home every time someone opens this project
and why don't you give me their user name or their hashes. Okay. So how do I get into someone
else's executable? You just say in.met, okay, inject me in there, give me some memory space,
write me in there and then start a thread on it. That's it. Load this load C++, injection, blah,
blah, blah, nice and easy. This loads C sharp because you can call.net from C and nice and easy
and then we're in. You can load application level key loggers, you can make them Twitter, you can
leverage the rights of that application. Maybe you need to write to the hard drive and you can't.
But there's application X that can, you inject into it and it can write to the hard drive. So
this gives us a new idea of what an API is because you can form new APIs inside of someone else's
executable. You can pretty much edit them any way you wish. So let's open just a quick demo
application. And okay, so once this is our injector, it puts us inside of here. Again, the payload's
running inside of it and we can select whatever we want. So just like being able to upgrade someone
else's application, maybe my favorite demo is making it reskinnable that you can come in and just
select. So you can easily make a wrapper that would just come in and add skins to an application.
This is kind of the direction I want to take it. Away from necessarily destroying other people's
applications to more of a let's figure out what can be done in a positive manner. So maybe you want
to convert this application to Spanish. Here it is. You can now deploy upgrades to someone else's
application and sell it. Hey, you want application X? Here you go. Now it's for you. You can do
something funny, ha ha, like everything runs away from the mouse and can't be clicked on. But
imagine if you're a DBA and your database starts doing this. What do you do? So some nice fun things.
You can upgrade applications and this is a perfect model. Unlike trying to upgrade pointers and
assembly and trying to mess with that stuff, you have the stability of.NET so you don't have to
worry that you messed up the logon screen so now you're going to crash how it updates a server.
Okay. So if you are going to attack a program, this is pretty much the sequence. You take a.NET
application, you get into it, you go and find some buttons, that's my favorite one, and then you
just take them over and you own it however you want. Particularly logon screens. Like now the
logon screen isn't a logon screen, it's going to capture their passwords and do something malicious
or it's going to maybe do something positive. You get into another application and you start out, I
like to start out on the GUI, you get in there, you can start out on statics, basically get into an
application and you hop around the object structure. And this is what a program looks like in
memory from being inside of it. This is pretty much what you're going to come up against. Just a
web of stuff, you'll understand some of it, most of it seems arbitrary. And you're going to have to
hop from one place to another to get over to the GUI, to get over to the SQL connection. And you're
going to go from object to object saying who are you connected to? Oh, I want to be on that object
too. And it turns out you can just say, okay, object, I want to edit you, I want to do whatever
because that's the flexibility of.NET. So the positive things that you can do, so SQL Server
Management Studio, right? Fun application. Who doesn't want to take that over? So the logon
screen. Originally I did okay, it twitters, okay, it changes your password, it does all this
malicious stuff. And I've been, like I said, trying to think about better things to do than
malicious stuff. So it's hard, I know. Okay, so some of the stuff that I came up with was how
about if we try and turn it around? So now I infected this, I own it, I changed it in some
arbitrary way, and now come in and type in a password and connect. And it presents with a
CAPTCHA. Because who isn't afraid of bots logging into their SQL Server, right? So we type in
complete the CAPTCHA and then it logs on. And so you can add anything you want. You can add any
number of layers of security, you can say, okay, if it's after 6 o'clock, I want a drunk test
because I don't want to be drunk working on my server. So everyone does that once, right? So at
this point you can come up to a client and say, okay, you have a server, but how about if we write
some custom security for you? How about if we upgrade it so they have to logon with multi-factor
authentication integrated with SQL Server integrated with some YubiKey? And normally that would be a
major undertaking that Microsoft would do and spend millions of dollars. It's going to take, that
CAPTCHA took an hour. I mean, this stuff is easy. You're looking at coming up and taking over a
program taking your first time maybe 6 hours. Once you get really, really good, 3 hours, an hour to
take over the GUI, to take over core logic, to break a program, say it has security features,
whatever security feature you can imagine, you can pretty much take it out in a day from beginning
to end, regardless of how well protected applications are. And there are some protection
mechanisms. Almost no one uses it, not even Microsoft. So this is what we can do. We have that
original one event that goes to a button, say the CAPTCHA, and now we just take over that event and
we do something a little different. We maybe wrap the original object so we look the same and
everything is prophesic. But now you have a CAPTCHA that's showing up. So this basically gives us
the ability to do a little more complex stuff. Okay, so here's ANT's memory profiler that I showed
you at the beginning. This application, a lot of programmers like it, all that. Okay, so the idea
is applications aren't necessarily closed source anymore. They're not a black box that we can't
interact with. So we have our trialware that's expired. We'll of course need to get past that,
right? And we'll do some other stuff, drop some other applications in there, all that. So again,
we're in, that's it. This is now running inside of this application and essentially is that
application. So we'll drop in some payloads, drop in the buttons again. And these are just void main
executables. When you get in there, launch your void main, that's it. So, okay, we have our buttons
as before. What if we want to drop another executable in there? We just say, okay, load this executable
too. And it loads. And so now we have an executable that's just some arbitrary application running
inside of ANT's memory profiler. I'm sorry about the small screen. Normally you want this on a
couple of screens if you're going to do something like this. Okay, so we have these two applications
running together. This one has buttons, this one doesn't because this one loaded before. We can just
say, okay, go add yourself. We can drop in other ones and so on and so forth. There we are. Okay,
so and then we'll take Mandiant's highlighter and drop that in there too. Okay, so we have Mandiant
highlighter, Instant BB and ANT's memory profiler all running together. And so this is nice, this is
fun. What can we do with it, right? We can come in here to ANT's memory profiler and say this
application. We can, it's full screen so that's going to be a problem. Okay, so we'll pop off of
here and we'll take the exit button and we'll pop it onto here. So at this point we can just take
whatever parts we want and intermix them however we want. Maybe we want to take the browse button
off of here and put it over here. And so yeah, haha, we have buttons that look similar but yeah,
they still work. You hit browse over here, it brings up a browse window and it executes the code
in its original host. Let's say star. Okay, so we browse and it's firing over here. It's still
linking just fine, you're not worrying about destroying the program, you're just moving
buttons arbitrarily between them. Let's get past this trialware, right? This one, this one. Okay,
so I wrote this company and said hey, I'm going to take out your trialware. It applies to every
application that you make. What do you think? And they said okay, how did you do it? This target
does two lines of code. It says window, dialogue, your result is set to okay and why don't you
close? And that's it. Two lines of code. Like it expired, it took me five minutes, I was like
oh, okay, done. Of course I own it too, right? So we're inside the application, we'll say, like
I said, let's reskin this. So what I'm doing here is I brought up one of the dialogue boxes
and added a, just like Visual Studio, let's edit this window, click on background image and edit.
And so everything's editable. Basically you're like the original programmer. You come in here
and you say okay, I would like this to again be that. And let's instead of tiling it, let's
stretch it. And so it's basically on the fly able to edit a program. You're able to do stuff
like this. Okay, so we have one application here, Mandiant's highlighter. We'll pop this text box
off. We'll come over here, add it. We'll click and take this highlight button, put it over here.
And so we've taken these two things off of here, added them over to this application. I guess that
didn't scale so well. Okay. So open something in Mandiant highlighter and okay. We'll type in
question mark, highlight. I guess it did break it. Okay. Normally that works. Okay. So able to
come through and delete everything. So like I said, change it to Spanish, whatever you want.
Multilingual applications. You're able to affect pretty much any part of the program arbitrarily.
And so at this point we're able to come in here and enter fields and then put in values that
shouldn't be entered. We're able to access sections that shouldn't be entered. Like this checkbox
isn't clickable. We'll make it clickable. And so you don't have to be subservient to your programs
in this model anymore. You can just go in and edit basically the object structure which is easy.
You can add your own code. You can add your own features. And you can pretty much edit.NET
applications any way you wish. So beyond this, like for negative purposes or for positive purposes,
however you think of it, you come in here and you say okay, this does this thing. It highlights
some extra boxes. It does some different stuff. But what does it do, right? So I said okay, here's
what it does. I added a when you get clicked, why don't you tell me what you do instead of doing it.
So it goes through and this is what that control does. This is every single event this control does.
It fires this obfuscated function. This is IL. This is what's really.NET. This is what's running
underneath your C sharp. This is what's running underneath your VB.NET or what have you. So this
is what that control really does. And so if you said okay, I want to go and look at this obfuscated
function, instead of looking for days and days through a massive code, you can just say okay, when
you're going to validate a key, why don't you just show me the function that you're going to call to
validate it. And no matter how obfuscated it is, you can just jump straight to it. And so this is the
part that really gives you a lot of power. Instead of saying I want to go to unprintable characters,
tilde, C, squiggly, you don't have to hunt through a massive hard to read code. You can just jump to
what that control does and you know what that control does. It validates the key or it talks to
the server. And so you can just find okay, here's the function that it talks to the server. Here's
the manner in which it talks. I can either change that, I can interact with it, what have you. And
so this is the time saver. When you're going up against a program, this control apparently does a
lot of things. And you can basically read through this, IL isn't that hard. But so that's what that
control does. And so that's when you click on this control, that's why it takes a while. And so you
can look at a program as a run time entity. You can edit them, you can debug them, you can change
them. So maybe you have a program crash, right? Get in there, rip the data out. You have a bug that
keeps coming in there. And it only happens once every six months. It causes a lockup. You can get
in there and you can find the state, you can find the objects, you can find the object crashed and
fix it. So I'm trying to push this has positive uses and not just negative uses. Reskinning it,
adding multi language packs. I mean, you can come up to SQL server and now give it in Chinese and
be six months ahead of Microsoft and sell it for five bucks a pop. And I still need to talk to the
lawyers about the legitimacy of adding packs to someone else's current executable. And so, okay,
like I said, down here there's this control that's locked out. You can get into some weird places
when you're able to just unlock something and fire. You can make it, you can get into places that
aren't accessible. I mean, what happens when you click a button that was never meant to be clicked
at that moment? And so on and so forth. So, and they're all one executable and crashes are pretty
safe, all that. Another quick, not necessarily the same strain of research, but just I really love
.NET so I end up researching everything. So just for sake of brevity, I'm just going to take this
and copy and paste it. And what this is, is an executable. This is an executable in text format.
I come over here to PowerShow and I edit and paste. I just, we wrote, I wrote a.NET piece of
hardware that types in as a fake keyboard. Other people have written some really good ones. And so
it just types in. And it runs an executable. So the reason this is here is because when I first had
this idea, I was talking to Hack 5 and they said, oh, you can't do it. You can't just type in an
executable and have it execute. You have to compile it, right? And I was like, no. No, I can do it.
They're like, no, you can't. I'm like, yes, I can. So the same attack sequence, you can drop in here.
You can type in, like, my payloads are like 75 kilobytes. You type it in and then it attacks other
things like SQL server. So instead of leaving, I inserted a USB stick. That's how I got the executable
on your computer. I have a keyboard got inserted at 2 a.m. and that's how your server got compromised.
So it opens up a little more vulnerability. More proof of concept because 75 kilobytes is a lot to
type. And so there's that. Okay. So here's a few programs. Here's the same program protected a
number of ways. This is the same executable protected with native secure shells, with
obfuscation, with all that. And just to show that stuff. I'm in here to everything I've been doing.
How am I doing on time? Actually, I have no idea. Yeah, me either. Though it seems like they might
have had some weird video effects. Everything here is like delayed versus what? That had to be
something weird with my capture though. Weird. Not my fault. Okay. So this is RedGate's, well, they
just bought it. Okay. So here's some applications. I'll drag and drop them in here and they're just
completely locked down. So these would say you can't reverse engineer them, right? So that's what
these are. They're protected, they're compiled and protected by shells, protected by the stuff
that different people have come up with to protect.NET applications. This doesn't change our
ability to inject into them. So we'll just inject in. Okay. So just like before, we're inside of
our target applications. And load up some different things. Okay. So we're inside of our target
application and show code is this part. Okay. So I'm inside of our target application. I said,
okay, show me your code base. I iterated the code every class. And now here's all the obfuscated
code. So this shut down Reflector. This was completely immune because Reflector goes at it on
disk. Reflector comes up against an executable that's protected by a shell and it says, oh, I
don't know what C++ with an encrypted.NET payload is. But we're in memory. So instead of worrying
about encryption shells which fall off the moment it's executed, here we are in memory walking an
application. And so you can see every single library that's loaded. You can see every single class,
every single function. You can get the code straight from memory. And there are some things that
people can do to mess this up, but they don't come up that often. So this allows you to get around
programs that are protected, which good luck. And there are ways to protect programs, but I hope to
get paid for doing that. So that is going up against protected applications, upgrading SQL
server, taking multiple programs and turning them into one. At this point we have basically owned
pretty much 99.999% of.NET applications out there. And this applies to Java. I'm not in Java, but
this is what we came up against. We're able to take it over. We're able to add multiple ones. We're
able to add multiple programs and then start. We can interlink the object structure, the logic of
multiple programs. We can take one program and inject it into another and so on and so forth. And
you can build things that shouldn't exist. You can intermingle an MP3 player and SQL server. You can
intermingle basically any level of applications that you want. You can create new Frankenstein apps.
And this allows you pretty much full reign over every single.NET application. And security features
basically go by the wayside pretty quickly. Sure. If you're going to inject an application, you have
to come from either a higher privilege admin or you have to come from the same user. So if you're on
someone's box and they logged into SQL server, you inject it straight from no privileges escalation.
However, it is really, really, really nice to hop into other applications and grab their tokens and
privileges and use them. So if you can't talk to the net, then you can inject into SQL server and
oh, look, it can talk to the server. And people try and lock it down, but get around it. Yeah?
You can see what you can think of in your application. You're running with lower credentials to your
application. But let's say Gray Dragon. You're running at your lower privileges, but this has to be
like a control panel that's popped up and it's running at system level privileges. Is there a way
of hopping over from this one's.NET instance into that one's.NET instance?
Not, I mean with privilege escalation, yeah. The sweet spot that I found was when system admins run
PowerShell scripts. They give their PowerShell scripts the ability to escalate.
I didn't quite catch this, but can it save out a modified, once you've modified it in memory,
yeah, you save it out to an EXE so you can rerun it. What happens if you go in and add all the hacks to get in again?
Basically what I end up doing is I write a small wrapper that says, okay, this wrapper should load
SQL server and automatically inject into it. But as far as adding your code in, there's some easy
hacks that you just go and you insert yourself in there.
One final one, on your website, where is Gray Dragon? I was looking at.NET exploit, which one is?
Which one is Gray Dragon in? It shouldn't be on there. I haven't updated it since DEF CON and Black Hat.
No, no, Gray Dragon, I haven't put it on the website because I'm holding back a little bit of the research
until the next DEF CON Black Hat, but I'm happy to give it out. But injector is the older equivalent.
Okay. Not quite as clean. It was definitely one of those. Does it compile this morning because I'm presenting it at 2.
Okay, so that's it. I'm a digital bodyguard, John McCoy, and I hope you enjoy it and will use hacking.NET.