.NET-Sploit: Exploit .NET Framework

| Comments

Though it is an uncommon attack, but it highlights the backdoor of Virtual Machine such as .NET, JVM.

Rootkit is a system which consists of programs designed to hide or obscure the fact that a system has been compromised.  – Wikipedia

 .NET-Sploit is a tool which is used to build MSIL rootkit that enables the user to inject malicious behavior to the framework DLLs (See the following picture).  The only challenge for the hacker is to compromise the particular system with administrator rights.

dnet_rootkit

What does it actually mean?

After the compromising a target system, a hacker can modify .NET framework DLL those are normally located in GAC by assembling and dessembling with regular .NET tools.  This approach does not need to touch .NET applications.  All the application invoke required tampered framework DLLs which will behave strangely.  For example, using the rootkit, you can always print “Hacked” message in

irrespective of any string value.  Worst part is, if a hacker is tampered  “Authenticate()” in System.Web.dll and he can capture the username and password.  Ofcourse, he can send the details to someone else using SendToUrl().

 

What can you do with framework rootkit?

  • API hooking
  • Method code modification
  • Method parameter manipulation
  • Object member manipulation
  • Exe dynamic forking
  • Metada tampering
  • Return value modification

How is it possible?

Manually you can attack the framework by the following steps:

  1. Locate DLL in the GAC
  2. Decompile the DLL (using ILDASM)
  3. Modify the IL code
  4. Recompile to a new DLL (new version!)
  5. Bypass the GAC strong name protection (very simple than expected)
  6. Override the existing DLL with new one.

 A surprising fact is GAC does not perform any additional check for verifying strong name of a DLL when coping the modified framework DLL into the actual folder path.  For example, you can modify mscorlib.dll version 2.0 and place it  into c:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089.

What is .NET-Sploit?

A generic framework modification tool to inject code.  You can download at http://www.applicationsecurity.co.il/english/NETFrameworkRootkits/tabid/161/Default.aspx.