Published: 05 Oct 2015 - 07:35 -0500
One of the best resources for persistence mechanisms is Hexacorn’s blog. http://www.hexacorn.com/blog/category/autostart-persistence/
If you haven’t checked out his “Beyond good ol’ Run key” (linked above) 32 post series, you really should. But today I wanted to talk about one that I didn’t see up there:
DNVM (https://github.com/aspnet/dnvm) is the DotNet Version Manager and it’s a part of ASP.NET 5, which I believe has been inside of Visual Studio since the 2013 version. It’s there to help to specify which runtime to use for applications, much like RVM (Ruby Version Manager) is for Ruby. With their goal being that you can install .Net and run .Net applications on Linux and Mac as well using DNVM.
Once installed it adds a “DNX_HOME” environmental variable:
Inside the folder specified are 3 directories:
There are plenty of things to play with in here, but I wanted to specifically point out that the BIN directory is put into the $PATH variable (as well as two others)
C:\WINDOWS\system32\config\systemprofile\.dnx\bin (DOES NOT EXIST BY DEFAULT) C:\Program Files\Microsoft DNX\Dnvm\ C:\Users\mubix\.dnx\bin
Ok, not a big deal right? Even a user under UAC can edit their own $PATH variable (we’ll come back to that in another post)
Lets take a look at what is in those folders:
Interesting, why don’t we see what the command dnvm does:
Seriously… I probably don’t even have to continue at this point…
But, if I run dnvm from the command prompt (as a developer would) it runs it from inside that protected directory in Program Files right?… RIGHT?! Nope..
Edit the dnvm.cmd with a bit of PowerShell Empire stager (minus the -W Hidden, because we need the user to actually get the output of the dnvm command) and….
[+] Initial agent UU2YKZ3VDG2AUKFY from 192.168.1.109 now active
Lets look a bit into how DNVM works to see if there is something juicier there (way to much for a single blog post)
Awesome! So I can modify things in the runtime directory, lets look in there:
Lots, of fun, but we still have to wait until they run some C# code with that run time and guess which one they will use (or backdoor all of them). I would rather just make a modification to the dnvm.cmd and be done with it. Simple and clean.
Oh did I mention that this is used to cross compile binaries? Ya, oh ok, so you can infect the built binaries, or web apps for Windows, Linux and OSX…
Oh and one other thing caught my eye while I was looking into the DNVM.ps1 script:
P.S. Unquoted paths FTW: https://github.com/aspnet/dnvm/pull/357