+ All Categories
Home > Documents > Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Date post: 31-Dec-2015
Category:

Documents
Upload: cora-mccormick
View: 212 times
Download: 0 times
Download Report this document
Share this document with a friend
Popular Tags:
net appconnect
net processgain access
running net program2
target applicationaccess
fin nullhttp
object structurefind
targets code
ilmore information
26
Attacking .NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com
Transcript
Page 1: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Attacking .NET Application at Runtime

An Object Level Attack

Jon McCoyDigitalbodyGuard.com

Page 2: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

This presentation will cover.

•How to evaluate Closed-Source .NET applications

•Tools to gain access to running apps

•Show how incredibly vulnerable .NET applications are

•Soft Spots on Programs to Attack

Page 3: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Tools overview

•Tools to do reconnaissance, on the structure of .NET programs

•Payloads to deploy inside of target apps

•Beta - Decompilation Tool targeted at .NET Applications protected by wrappers/shells

Page 4: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

What is the attack?

Gain access to a target application Access the Object structure

Target/Evaluate GUI/Logic/State

•Subvert core logic

•Instantiate new Features/State

Page 5: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

What is a .NET Process

Gain access to a target application

Access the Object structure

Find the GUI/Logic/State

•Subvert core logic

•Instantiate new Features/State

Page 6: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Another Idea of Runtime in .NET

Page 7: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

What is the attack?

1. Accessing Running .NET Program

2. Run Payload

2. Access targets Object structure

3. Modify values and/or Objects

Page 8: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

A Runtime Application

Page 9: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Demo Connecting

Demo Connection To Running .NET app

Page 10: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Connect to the target application

•Inject Code

•Infect the target's code

• Infect the Framework

And Exploit

Page 11: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Demo: Connection

Injection

&

Exploit

Page 12: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

What is going on

Page 13: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

End to END

Page 14: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Demo: Visual Studio

Attacking from one line of

code

Page 15: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Moving in a Live Applocation

Page 16: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

More about Moving

Page 17: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Demo: Power Shell

Attacking from the Keyboard

Page 18: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

A Hacked Runtime Application

Page 19: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Demo: Other Ways In

TBD

Page 20: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Why is this better

Page 21: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Thanks To The

Related Works of

James Devlinwww.codingthewheel.com

Sorin Serbanwww.sorin.serbans.net/blog

Erez Metula www.appsec.co.il

Page 22: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

More information at:

FIN < NULL

http://www.DigitalbodyGuard.com

Page 23: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

More information at:

FIN > NULL

http://www.DigitalbodyGuard.com

Page 24: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

More information at:

FIN < NULL

http://www.DigitalbodyGuard.com

Page 25: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

Some stuff to check out

Erez Metula  

BOOK: Managed Code Rootkitshttp://www.amazon.com/Managed-Code-Rootkits-Hooking-Environments/dp/

1597495743/ref=sr_1_1?ie=UTF8&s=books&qid=1275638178&sr=1-1

 

at his website:

http://www.appsec.co.il/ 

Page 26: Attacking.NET Application at Runtime An Object Level Attack Jon McCoy DigitalbodyGuard.com.

License

This Presentation and tool are licensed under

Creative Commons

Attribution-NonCommercial-ShareAlike 3.0


Recommended
McCoy Thesis

McCoy Thesis

Documents

Chris Rossbach, Yuan Yu, Jon Currey, JP Martin, Dennis Fetterly ... · DANDELION: A COMPILER AND RUNTIME FOR HETEROGENEOUS SYSTEMS Chris Rossbach, Yuan Yu, Jon Currey, JP Martin,

Chris Rossbach, Yuan Yu, Jon Currey, JP Martin, Dennis Fetterly ... · DANDELION: A COMPILER AND RUNTIME FOR HETEROGENEOUS SYSTEMS Chris Rossbach, Yuan Yu, Jon Currey, JP Martin,

Documents

Sappi McCoy 2008

Sappi McCoy 2008

Documents

Descendant Chart - Chernofffamily.chernoff.com/McCoy/McCoy Descendant Chart.pdf · Mccoy b: 07 Jun 1952 in Wichita, Sed Wick Kansas. IJSAg Lyle Eldon McCoy b: 25 1920 in Wichita,

Descendant Chart - Chernofffamily.chernoff.com/McCoy/McCoy Descendant Chart.pdf · Mccoy b: 07 Jun 1952 in Wichita, Sed Wick Kansas. IJSAg Lyle Eldon McCoy b: 25 1920 in Wichita,

Documents

McCoy Filing

McCoy Filing

Documents

VADM McCoy 1

VADM McCoy 1

Education

XGR McCoy SFI

XGR McCoy SFI

Documents

McCoy Tyner - McCoy Tyner Plays Standards (Jap)

McCoy Tyner - McCoy Tyner Plays Standards (Jap)

Documents

Stephanie McCoy Combustion

Stephanie McCoy Combustion

Documents

CORD McCOY Article

CORD McCOY Article

Documents

McCOY TYNER NEA Jazz Master (2002)amhistory.si.edu/jazz/Tyner-McCoy/Tyner_McCoy_Transcript.pdf · McCOY TYNER . NEA Jazz Master (2002) I nterviewee: McCoy Tyner (December 11, 1938

McCOY TYNER NEA Jazz Master (2002)amhistory.si.edu/jazz/Tyner-McCoy/Tyner_McCoy_Transcript.pdf · McCOY TYNER . NEA Jazz Master (2002) I nterviewee: McCoy Tyner (December 11, 1938

Documents

VADM McCoy

VADM McCoy

Education

NOW YOU KNOW The Real McCoy Elijah McCoy

NOW YOU KNOW The Real McCoy Elijah McCoy

Documents

Butterfield Lumber, Inc. v. Jon L. McCoy, McCloy ...

Butterfield Lumber, Inc. v. Jon L. McCoy, McCloy ...

Documents

Hacking.NET Applications: The Black Arts - DEF CON · Jon McCoy Hacking. NETApplications: The Black Arts

Hacking.NET Applications: The Black Arts - DEF CON · Jon McCoy Hacking. NETApplications: The Black Arts

Documents

Cheryl Holcomb-McCoy, Ph.D., NCC I. PERSONAL …education.gsu.edu/files/2014/02/Holcomb-McCoy-Cheryl-CV-GSU-COE.pdfCV: Holcomb-McCoy Page 1 Cheryl Holcomb-McCoy, Ph.D., NCC School

Cheryl Holcomb-McCoy, Ph.D., NCC I. PERSONAL …education.gsu.edu/files/2014/02/Holcomb-McCoy-Cheryl-CV-GSU-COE.pdfCV: Holcomb-McCoy Page 1 Cheryl Holcomb-McCoy, Ph.D., NCC School

Documents

RICHARD McCOY

RICHARD McCOY

Documents

Katherine McCoy

Katherine McCoy

Documents