2

Let me preface this by saying that it has been migrated from security.stackexchange to here on stackoverflow. Additionally, I understand any concerns that stack members may have; seeking out security sensitive knowledge is a potential double edged sword for anyone involved. I personally believe that it is of great importance that vulnerabilities and exploits be spoken of publicly as it presents the community with the opportunity to address the issue.

My goal:

  • Have a custom coded, malicious C# application execute the legitimate application it is wrapped with after performing its task.
    • Our target system has all the necessary frameworks in place to support the code.

Problem:

  • Wrappers discretely execute both wrapped binary files independently of one another.
    • I need the malicious file to trigger the legitimate file after requesting elevated privileges.
    • This will simulate the single privilege elevation request that the legitimate file normally performs on installation.

Question:

  • Is there a way that a C# application can be coded such that it can execute a binary file it is "wrapped" with?
    • I do not fully understand what is happening to the wrapped binaries and might be asking this question incorrectly.

Background:

My group will be conducting a pen test in the next couple of months and we have already identified a customer flaw. A specific software suite utilized by the customer requires a full reinstall each time it is updated. This reinstall requires privilege escalation and we have already demonstrated that tainted media with a custom coded trojan horse could result in a compromise on their devices / network.

There are a number of solutions the customer could employ to ensure that their application installer has not been tampered with.

Edit: Appears that executing wrapped binary addresses how to do this in assembly, not a higher level language. Still might be a useful lesson...

Community
  • 1
  • 1
Shrout1
  • 2,497
  • 4
  • 42
  • 65
  • 2
    This looks like a pure c# question and not a security question - the answer is going to be code-based. This is better asked on SO. The answer is not affected by the fact that you want to use it for pentesting. – schroeder Feb 18 '16 at 18:31
  • @schroeder If an admin would be so kind as to move it I would be most appreciative. – Shrout1 Feb 18 '16 at 18:57
  • yes it is possible.. no I won't show you how. If they want their assemblies protected they should use code signing https://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx – Matthew Whited Feb 18 '16 at 19:56
  • @MatthewWhited Nice to know that it's possible, understand the concern. That has been stated to the customer and we will be validating if it has been done. Again, I started this on security.stackexchange as I thought it was an appropriate forum. – Shrout1 Feb 18 '16 at 19:58
  • I don't doubt your intentions but I also don't provide examples on how to exploit computers. Maybe someone else will help... at the end of the day you could just show it by wrapping their exe with a batch file and setting the batch file to run as admin. – Matthew Whited Feb 18 '16 at 20:04
  • @MatthewWhited Understood! I have a functional, non optimal demo that modifies the file structure of their installer and executes in a "transparent" fashion the user. But the fight to find and fix security holes is ongoing, and I understand your stance. I hope that our customer will have already fixed this particular hole. – Shrout1 Feb 18 '16 at 20:11
  • it's easy enough so show how this works with reflection so I'll get over myself and show you :) – Matthew Whited Feb 18 '16 at 20:23

1 Answers1

3

Good app... (compile this app first)

using System;

namespace App
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello World!");
        }
    }
}

BadApp... (include the above app as an embedded resource)

using System;
using System.IO;
using System.Reflection;

namespace BadApp
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("do bad");

            Assembly good = null;

            var ea = Assembly.GetExecutingAssembly();
            using (var rs = ea.GetManifestResourceStream(ea.GetManifestResourceNames()[0]))
            using (var ms = new MemoryStream())
            {
                rs.CopyTo(ms);
                good = Assembly.Load(ms.ToArray());
            }

            var ep = good.EntryPoint;
            ep.Invoke(null, new [] {args});

            Console.WriteLine("ha ha too late");
        }
    }
}

... output from running BadApp

do bad
Hello World!
ha ha too late
Matthew Whited
  • 22,160
  • 4
  • 52
  • 69
  • Ok n00b question here (I've been a sys admin and not a developer for too long!) I'm getting a "Bad IL Format" error at the line `good = Assembly.Load(ms.ToArray());`. I've set build to "embedded resource" for app.exe but I'm not quite sure what I'm doing wrong. Sorry to continue dragging you down this tortured path :D I appreciate the help – Shrout1 Feb 18 '16 at 21:24
  • Does your app.exe run? did you include app.exe as the resource or pick something else by accident like app.exe.config? – Matthew Whited Feb 18 '16 at 21:32
  • It does run! But let me double check. I created a resource file, moved app.exe into the project folder (one level above bin) and then linked to app.exe. Selected it in the solution explorer and set the build action to "Embedded Resource". May have missed a step... – Shrout1 Feb 18 '16 at 21:35
  • On my test app I switched my resource from my exe to a different file and I get the Bad Image Exception. This also assumes the exe you are wrapping is a .Net assembly. If you are doing a native app you can't use `assembly.load` – Matthew Whited Feb 18 '16 at 21:37
  • Ok! I actually had to change `using (var rs = ea.GetManifestResourceStream(ea.GetManifestResourceNames()[0]))` to `using (var rs = ea.GetManifestResourceStream(ea.GetManifestResourceNames()[3]))` because I had embedded additional resources while thrashing about. I set a watch on `ea.GetManifestResourceNames()` and then explored it once the object was created - turned out that app.exe was fourth in my list. – Shrout1 Feb 19 '16 at 13:36
  • You could also just hard code the resource name as a string ;) – Matthew Whited Feb 19 '16 at 14:40