Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nettitude/Aladdin

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/nettitude/Aladdin
Owner: nettitude
License: bsd-3-clause
Created: 2023-01-26T08:23:36.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-10-22T09:15:19.000Z (11 months ago)
Last Synced: 2024-05-11T09:35:13.403Z (4 months ago)
Language: C#
Size: 46.9 KB
Stars: 205
Watchers: 9
Forks: 15
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-rainmana - nettitude/Aladdin - (C# #)

README

        # Aladdin

```

           .-.

          [.-''-.,

          |  //`~\)

          (<| 0\0|>_

          ";\  _"/ \\_ _,

         __\|'._/_  \ '='-,

        /\ \    || )_///_\>>

       (  '._ T |\ | _/),-'

        '.   '._.-' /'/ |

        | '._   _.'`-.._/

        ,\ / '-' |/

        [_/\-----j

   _.--.__[_.--'_\__

  /         `--'    '---._

 /  '---.  -'. .'  _.--   '.

 \_      '--.___ _;.-o     /

   '.__ ___/______.__8----'

     c-'----'

  Lefty @lefterispan - Nettitude Red Team - 2022 / 2023 

```

# About

Aladdin is a payload generation technique based on the work of James Forshaw (@tiraniddo) that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html.

By spawning the process `AddInProcess.exe` with arguments ```/guid:32a91b0f-30cd-4c75-be79-ccbd6345de99``` and ```/pid:```, the process will start a named pipe under `\\.\pipe\32a91b0f-30cd-4c75-be79-ccbd6345de99` and will wait for a .NET Remoting object. If we generate a payload that has the appropiate packet bytes required to communicate with a .NET remoting listener we will be able to trigger the ActivitySurrogateSelector class from System.Workflow.ComponentModel. and gain code execution.

Originally, James Forshaw released a POC at ```https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData```. However this POC will fail on recent versions of Windows since Microsoft went ahead and patched the vulnerable System.Workflow.ComponentModel (https://github.com/microsoft/dotnet-framework-early-access/blob/master/release-notes/NET48/dotnet-48-changes.md).

Nick Landers (@monoxgas) however, identified a way to disable the check that Microsoft introduced and wrote a detailed article at https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/ . The bypass is documented at https://github.com/pwntester/ysoserial.net/pull/41 .

Aladdin is a payload generation tool, which using the specific bypass as well as the necessary header bytes of the .NET remoting protocol is able to generate initial access payloads that abuse the `AddInProcess` as originally documented. 

The provided templates are:

    * HTA

    * VBA

    * JS

    

    * CHM

## Notes

In order for the attack to be successfull the .NET assembly must contain a single public class with an empty constructor to act as the entry point during deserialization. An example assembly has been included in the project.

```

public class EntryPoint {

    public EntryPoint() {

        MessageBox.Show("Hello");

    }

}

```

## Usage

```

Usage:

  -w, --scriptType=VALUE     Set to js / hta / vba / chm.

  -o, --output=VALUE         The generated output, e.g: -o

                               C:\Users\Nettitude\Desktop\payload

  -a, --assembly=VALUE       Provided Assembly DLL, e.g: -a

                               C:\Users\Nettitude\Desktop\popcalc.dll

  -h, --help                 Help

```

## OpSec

* The user supplied .NET binary will be executed under the `AddInProcess.exe` that gets spawned from the HTA / JS payload. The spawning of the processes currently happens using the 9BA05972-F6A8-11CF-A442-00A0C90A8F39 COM object (https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf) which will launch the process as a child of `Explorer.exe` process.

* The GUID supplied in the process parameters of `AddInProcess.exe` can be user controlled. At the moment the guid is hardcoded in the template and the code.

* CHM executes the JScript through XSLT transformation

## Defensive Considerations

* `Addinprocess.exe` will always launch with `/guid` and `/pid`. Baseline your environment for legitimate uses - monitor the rest

## Useful References:

    * https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html

    * https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/

## Readme / Credits

Code is based on the following repos:

    * https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData

    * https://github.com/pwntester/ysoserial.net

Shouts to: 

* @m0rv4i for helping with C# nuances

* @ace0fspad3s for troubleshooting

* @ Nettitude RT for being awesome