attacking.net application at runtime an object level attack jon mccoy digitalbodyguard.com
TRANSCRIPT
![Page 1: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/1.jpg)
Attacking .NET Application at Runtime
An Object Level Attack
Jon McCoyDigitalbodyGuard.com
![Page 2: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/2.jpg)
This presentation will cover.
•How to evaluate Closed-Source .NET applications
•Tools to gain access to running apps
•Show how incredibly vulnerable .NET applications are
•Soft Spots on Programs to Attack
![Page 3: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/3.jpg)
Tools overview
•Tools to do reconnaissance, on the structure of .NET programs
•Payloads to deploy inside of target apps
•Beta - Decompilation Tool targeted at .NET Applications protected by wrappers/shells
![Page 4: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/4.jpg)
What is the attack?
Gain access to a target application Access the Object structure
Target/Evaluate GUI/Logic/State
•Subvert core logic
•Instantiate new Features/State
![Page 5: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/5.jpg)
What is a .NET Process
Gain access to a target application
Access the Object structure
Find the GUI/Logic/State
•Subvert core logic
•Instantiate new Features/State
![Page 6: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/6.jpg)
Another Idea of Runtime in .NET
![Page 7: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/7.jpg)
What is the attack?
1. Accessing Running .NET Program
2. Run Payload
2. Access targets Object structure
3. Modify values and/or Objects
![Page 8: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/8.jpg)
A Runtime Application
![Page 9: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/9.jpg)
Demo Connecting
Demo Connection To Running .NET app
![Page 10: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/10.jpg)
Connect to the target application
•Inject Code
•Infect the target's code
• Infect the Framework
And Exploit
![Page 11: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/11.jpg)
Demo: Connection
Injection
&
Exploit
![Page 12: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/12.jpg)
What is going on
![Page 13: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/13.jpg)
End to END
![Page 14: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/14.jpg)
Demo: Visual Studio
Attacking from one line of
code
![Page 15: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/15.jpg)
Moving in a Live Applocation
![Page 16: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/16.jpg)
More about Moving
![Page 17: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/17.jpg)
Demo: Power Shell
Attacking from the Keyboard
![Page 18: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/18.jpg)
A Hacked Runtime Application
![Page 19: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/19.jpg)
Demo: Other Ways In
TBD
![Page 20: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/20.jpg)
Why is this better
![Page 21: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/21.jpg)
Thanks To The
Related Works of
James Devlinwww.codingthewheel.com
Sorin Serbanwww.sorin.serbans.net/blog
Erez Metula www.appsec.co.il
![Page 22: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/22.jpg)
More information at:
FIN < NULL
http://www.DigitalbodyGuard.com
![Page 23: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/23.jpg)
More information at:
FIN > NULL
http://www.DigitalbodyGuard.com
![Page 24: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/24.jpg)
More information at:
FIN < NULL
http://www.DigitalbodyGuard.com
![Page 25: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/25.jpg)
Some stuff to check out
Erez Metula
BOOK: Managed Code Rootkitshttp://www.amazon.com/Managed-Code-Rootkits-Hooking-Environments/dp/
1597495743/ref=sr_1_1?ie=UTF8&s=books&qid=1275638178&sr=1-1
at his website:
http://www.appsec.co.il/
![Page 26: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com](https://reader036.vdocuments.us/reader036/viewer/2022070400/56649ebc5503460f94bc4d94/html5/thumbnails/26.jpg)
License
This Presentation and tool are licensed under
Creative Commons
Attribution-NonCommercial-ShareAlike 3.0