Erez Metula's (ErezMetula@gmail.com) presentation at Black Hat will explain a method for the .NET Framework for inserting RootKits.
.NET Rootkits will be presented at BlackHat Europe 2009, April 16-17 2009 at the Moevenpick City Centre hotel.
This type of RootKit exploitation can only occur as a second level compromise where the system was previously compromised. Of course there are some cases where a distribution could be modified and when the systems are regenerated or updated all systems would have the rootkit installed.
ApplicationSecurity.co.il .NET Framework Rootkits.
Disassembly of a .NET .dll and making the modifications recompiling and putting the .dll back in place, "the signature of the DLL itself is irrelevant, the only
thing that matters is the directory in which it is located."
In order to use our modified version, we will explicitly tell the framework not to use
the native version, by issuing this command: ngen uninstall mscorlib and removing the native version of this DLL, by deleting the content of this directory rd /s /q c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib"
.
NET-Sploit is able to:
* Modify a given function
* Inject payloads
* Execute payloads
* Takes care of "code reshaping"
* Pull the relevant DLL from the GAC
* Generate a deployer for the modified DLL
.NET-Sploit is inspired from H.D. Moore's amazing "metasploit" [9] exploit platform.
Its specialty is the abstraction from which code injection is composed, and the
separation of the following building blocks:
* Function - a new method to extend a specified DLL
* Payload - code that is injected into specific method
* Reference - reference to other DLL (if necessary)
* Item - XML based composition the above building blocks
Leave a comment