Abusing RWX-S Binaries For Post-exploitation

so I'm going to have to rush through the first few bits because it's a lot of theory yeah um so I work in instant response I'm basically a blue teamer I do like a bit of red teaming but uh you know most of my work is you know coding Automation and stuff I've been associated with my local Defcon chapter but this is my first time at bides and let's see how it goes so P files for some background uh these are compiled files they cannot be read Asis they code all the functions and so on the ancestors include ms. CX with the MZ which is pretty common uh and it was originally meant to be 32bit uh it was

supposed to be a container for Doc net assemblies because that's what Microsoft preferred and then over time it's evolved you know to be more generic uh include 64 bits and of particular note is dynamic link libraries because we'll be using that uh these include the abstracted functions and unlike typical PS which are meant to be the base for your processes DLS are going to to be your centralized R functions which your multiple processes can rely on to reuse code yep and uh just a high level overview basic sections would be a Dos header a p header and several sections dos headers just for compatibility P header defines the metadata and the sections which we'll get to in just a

second uh kind of looks like this your dos header your various heads and then these basically compartmentalize your data which your raw data which includes in which is included in the p and divides them into meaningful sections for example the text would include the code for your program uh your data and our dat would include your Global variables static variables and so on uh a process um it's an instance of a program and of particular note is a structure called eess within the K and it represents everything that related to a process it's structure it's attribute and so on and when a process uh comes you know to be born it gets a p ID which

is an integer value or it's called a handle and it uses the PE file to build a structure and Define which tasks it needs to be execute WR so uh and the PEB uh is a substructure within that uh you know to which the eess points to and it holds uh the Heap manager and lots of associated stuff so if you look at it like this uh this is the memory mapping of a process and you can see the P there in like the fourth line and the rest is stuff like your stack he your various DLS and so on rwx is binaries and this is what I'm here to talk about so typically uh I

just mentioned about the compartmentalization using section headers they Define how a section of memory would behave when they map to a process and typically they're supposed to be readable executable and writable but I'm talk going to be talking today about something called sharable or S and these are defined by the top four bits uh of the uh characteristics property the characteristics if you would like to see here is uh you know you know 4 bytes 32 bits and if you see there at the very corner you would see uh is executable is writable sharable and so on so uh if just two of them are set it's just these two bits here that'll be 4+ 2 six and if

all of them are set it becomes F which is shown by the blocks in blue yeah and this uh is what happens when you turn that bit on this is my malicious process that's a notepad both of them are loading the mcdl uh common L and you can see they both load at the very same memory address uh ending in 4 zeros now uh this is not a relatively New Concept it's been uh in research since at least 2004 but a particular note is is a research by someone called Bill who actually uh hunted for this using vt's retr hunt functionality to find a lot of existing BLS which can be abused uh to leverage this function sorry for running

through all that uh let's go a bit slower now now now I built a little tool to bring this uh concept uh into you know the real world is it in C uh I wrote it in net 6 for long-term support and uh a lot of uh the base coding is uh passing it from unmanaged code or raw binary data so I to use spoke and uh it's supposed to be good with Lucy C and highly cohesive but yeah 64bit uh as well so uh just a quick run through of uh how the menu looks which I spent a insane amount of time more than the coding uh the target D you just put in

your part you uh you have it written right there and you get a a set of options uh to set to select which particular section you want to modify whether you want to change it whether to even add a whole new section if you'd like and uh once you uh select your dll you get to choose which section you want as if you remember uh this this just has six which means it's just two bits being set and if all was set it would have been F and that's going to be a uh are fine lame so once you select the section to modify it will modify it and create a copy of that DL within a subfolder right

there and that will be automatically loaded into the pro program as well so once you do that uh you have the option to uh you know load it into the process in order to manipulate the memory and then when you check the sections again you can see the one that was six earlier changes to F meaning we've essentially made that section into a sharable section and uh this is me selecting it again and once you do that you select a payload as well now uh a payload is usually your shell code uh which you use when any typical injection uh uh sort of Engagement and you can select either the starting address of that full section or

even a specific function now those are familiar with export address tables would know if you have a code block it would export a whole list of functions you can specifically Target a single function within it to give you more fine green control we'll get to that uh in demo towards the end so once you've set all all that uh and you've finalized on what you want to Target uh you know you select a payload uh with the attack and you can write it in so to write it in you have to again select a process uh if you have multiple processes it gives you an option to select which one you would like and then uh you basically inject

into it now there's uh this was written in a kind of modular format in the hope that if someone would like to bring in new injection techniques they can just add them in right here so this is what I have for now the classic create remote thread is what I use but you can use holl hering whatever you like you select the process you inject the DL in so now uh what's happened is we created a modified dll that has the sharable property and we forcibly injected it into a Target process but uh nothing else as as if now so once that's done you can even erase it we will get to that soon and you execute the return

payload with create remote thread sorry if that seemed like a blur because uh the demo or the fake demo will be looking like this so once you execute the command uh one of the first things I tried was your classic calc popper now I'd like to particularly uh show you what happened now I targeted this notepad process right here but if you notice a ghost kind of notepad process also spawned up now what happened here is uh usually if you think of Shell Code if this is the legit code and you insert your shell code in what happens is it goes through the code and then it may it's some random code there and it'll cause your program to crash

it's very unlikely that it'll be perfectly aligned to get some uh decent or legitimate bit of code it'll be just random Gish at that point so what I've been uh able to do is add something called a return code stub which uh may have been missed uh while I've been showing you um yeah it's all right yes what what it essentially does is it finds the entry point or the main function of this process adds a jump instruction at the end of the payload so that once you're done with the code it calls that function again so this is interesting in Windows 10 because instead of uh keeping the original process it just spawn the ghost process

entirely and then the c pop but you cannot see it in a process St just looks pretty legit this was my test bed um I tested on a variety of platforms uh it doesn't work on any of the older ones just up to Windows 10 uh the uh property I noted of the new notepad in is also noted but there's absolutely no difference on a bare metal machine and a virtualized instance now two very specific use cases which I will be taking a bit more time to explain first is forensic EV evasion so uh the state right now we've created the dll which has the shared property set in uh the target process has been uh

loaded with the DL as well and we're going to write it and use a Yara scanner to check if we erase it on the point will it still continue to be picked up by Yara scan so uh typical scenar scario you have my uh malicious process here I have the notepad process loaded with uh the fake dll and the codes right there because we've written it uh this is the AR scanner I built up it's very simple it's basically checking for Strings let's just Cal or create process and the hex equivalence so now uh if you notice this is a notepad process and that's its memory foot uh footprint and if you notice uh the Y scanner managed to find

all of them now this is at the point where we've just hidden write payload and obviously if you remember I talked about something called Erase payload what it essentially does it keeps a cache of the data it it has replaced and replaces that old cache of data of legit data again so now remember we are not interacting directly with the target notepad process at all we just changing it on uh the memory maap in our DL within our process memory space and when you do that uh the r file does not manage to match it again so forensic evation uh as one post exploitation application second one is a bit more interesting it's privilege escalation so

I have a dummy admin process which is privileged and my uh malicious process is going to be R running unprivileged uh it will still create the DL but uh the malicious uh sorry the privileged admin process is going to load it from a fixed path and there is no user called Boku at the moment on the system but we're going to see what happens so this is my dumy code uh as you can see it just references a hardcoded DL path without any other checks and once it does that uh it specifically calls a function called MC initialize as you can see and this is what we're going to leverage with the specific uh function targeting function

uh functionality so if you notice here uh this is the uh dummy admin process it's elevated while my process is not elevated and if you get back uh the memory is written it's all there there and if you notice at the moment uh if you use a net user uh these are the only users that are there there isn't a Boku user yet and once you uh run the execute payload opt now you do not run the execute payload unlike the previous one because this code is capable of directly calling the MC initialize we just patch the MC initialize function over there it's only the and this uh privileged function will automatically call it next the moment you execute that

suddenly a Boku user is added and they are also added to the administrators and remote desktop users group and uh that is my story of how I built that tool which does hopefully a bit of uh post exploitation thank you