RCEvil.NET - BSidesIowa 2019

At a BSidesIowa 2019 talk, Illuminopi members NoppyByNature and Msnyo shared how to abuse a .NET deserialziation ‘feature’ to gain remote code execution in Microsoft IIS. Check out the slide deck from the talk “RCEvil.NET - A Super Serial Story”. You can also check out the accompanying C# project released during the conference.

https://illuminopi.com/talks/2019/04/20/rcevil-first-post.html

#dotnet #iis #deserialization

Exploiting Deserialisation in ASP.NET via ViewState

ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sent via a hidden parameter called __VIEWSTATE with a POST request. This parameter is deserialised on the server-side to retrieve the data.

#dotnet #asp #deserialisation

Donut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.

https://github.com/TheWover/donut/
https://thewover.github.io/Introducing-Donut/
#shellcode #dotnet

Aggressive MSBuild – Bypass Detection

This blog post will quickly cover some of the key points of how we completed this task and ended up with four additional commands registered within Beacon. You can review both scripts within our Github repo Aggressor Assessor here (there’s also an alternative version to accomplish the same overall goal within @MrUn1k0d3r’s Github Repo here, written by @ramen0x3f). Once you load either script from the AggressorAssessor repo into Cobalt Strike, you will have new commands available in the help menu when you type “help”. These new options are shown below with their own help menu.

https://www.fortynorthsecurity.com/aggressive-msbuild-bypass-detection/

#blueteam #forensics #dotnet

The Curious Case of QueueUserAPC

Due to the nature of the .NET compiled language runtime, user asynchronous procedure calls (APCs) are processed upon the exit of any .NET assembly without manually triggering an alertable state from managed code.

Further, if a user spawns a new process and queues an APC into the process’s main thread, a race condition exists between the APC queue and the process’s main routine such that the APC queue is processed first.

https://posts.specterops.io/the-curious-case-of-queueuserapc-3f62e966d2cb

#shellcode #redteaming #dotnet

OffensiveCSharp

This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".

https://github.com/matterpreter/OffensiveCSharp
#tools #csharp #dotnet #windows

Vanara

A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.

This project contains various .NET assemblies that contain P/Invoke functions, interfaces, enums and structures from Windows libraries. Each assembly is associated with one or a few tightly related libraries. For example, Shlwapi.dll has all the exported functions from shlwapi.lib; Kernel32.dll has all for both kernel32.lib and kernelbase.lib.

https://github.com/dahall/Vanara
#csharp #dotnet #winapi

Hiding your .NET - COMPlus_ETWEnabled

The process of disabling ETW is something that I first looked at back in March after trying to figure out just how some defenders were detecting in-memory Assembly loads (https://blog.xpnsec.com/hiding-your-dotnet-etw/). There have since been several other posts with clever and improved methods of bypassing this kind of detection from some awesome researchers including Cneeliz, BatSec and modexp. Each method relies on manipulating the ETW subsytem itself, from intercepting and manipulating calls to the usermode function EtwEventWrite or the kernel function NtTraceEvent, and even parsing and manipulating the ETW registration table to avoid any code patching.

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/

#redteaming #dotnet #windows #bypass #evasion

Bring your own .NET Core Garbage Collector

This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.

https://www.contextis.com/us/blog/bring-your-own-.net-core-garbage-collector

#windows #bypass #evasion #dotnet

Debugging into .NET

.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent.

https://blog.xpnsec.com/debugging-into-net/
#windows #dotnet #redteaming #internals