14Dec/102
Smuggling .NET code inside batch files. Impossible? Who said that?
This will be rather a quick one. :-) Just check this out:
Create a batch (.bat) file with the following content and execute!:
/*
@echo off && cls
set WinDirNet=%WinDir%\Microsoft.NET\Framework
IF EXIST "%WinDirNet%\v2.0.50727\csc.exe" set csc="%WinDirNet%\v2.0.50727\csc.exe"
IF EXIST "%WinDirNet%\v3.5\csc.exe" set csc="%WinDirNet%\v3.5\csc.exe"
IF EXIST "%WinDirNet%\v4.0.30319\csc.exe" set csc="%WinDirNet%\v4.0.30319\csc.exe"
%csc% /nologo /out:"%~0.exe" %0
"%~0.exe"
del "%~0.exe"
exit
*/
class HelloWorld
{
static void Main()
{
System.Console.WriteLine("Greetings from IT Security Lab!");
System.Console.WriteLine("-------------------------------");
System.Console.WriteLine("RTM: " + System.Environment.Version);
System.Console.WriteLine("User: " + System.Environment.UserName);
System.Console.WriteLine("Machine name: " + System.Environment.MachineName);
System.Console.WriteLine("OS version: " + System.Environment.OSVersion);
System.Console.WriteLine("Stack trace: " + System.Environment.StackTrace);
System.Console.ReadLine();
}
}
I was absolutely amazed. The implications for security are... well... pretty complex. You are clever boys and girls, so you already know what can be done with it, right...
Found here: http://forum.antichat.ru/
Recent Posts
- Knowledge sharing event: Risk-based approaches to protecting your data – London, Tuesday 19th April
- Training – Hacking and Securing Oracle Database (11g)
- Changed language does not persist when Skype is restarted: how to solve the annoying issue
- More 3D Fun with Kinect and Delphi. You can grab and save still 3D frames!
- Having Fun with Kinect and Delphi (examples of 2D and 3D visualization)
- Smuggling .NET code inside batch files. Impossible? Who said that?
- Cross-site scripting explained (video)
- Innocent comment regarding sensitive information disclosure…
- Pentesting privilege escalation in web applications
- TinyWeb: Pocket-size Portable Web Server With CGI And PHP Support (!)
Popular
Archives
- April 2011 (2)
- January 2011 (1)
- December 2010 (3)
- October 2010 (1)
- September 2010 (8)
- August 2010 (8)
- July 2010 (8)
- June 2010 (2)
Categories
- .NET (1)
- Binary application security (11)
- Cryptography (2)
- Delphi (12)
- Exploitation practice (16)
- Fun (5)
- Java (1)
- Kinect (2)
- Mobile devices security (1)
- Pentesting (15)
- PHP (2)
- Skype (3)
- SQL (5)
- SQL injection (6)
- Uncategorized (9)
- Windows security (6)
Recent Tweets
- No public Twitter messages.
Affiliated websites
December 28th, 2010 - 20:30
“The implications for security are… well… pretty complex.”
Not really – there’s no security hole, since bad things can happen only if you’re running with admin rights in the first place. Why go to the bother of compiling a new EXE file? Just run a pre-built one.
December 28th, 2010 - 22:59
Agree, and not agree. You don’t know with what user’s rights the code will be executed. In my understanding it is highly dependent on who is currently is running (presumably malicious) code. Batch file actually is creating and running executable binary code. And even this may not necessarily be the case: this may not be about stealing your password hashes, – some another valuable information may be stolen (files, data, trade secrets, etc.) and sent over internet to the attacker. If your personal firewall/IDS/IPS would not intercept new executable which for some strange reason opens connection to port 80 on remote machine – well… it’s your unlucky day…
The rule of thumb is: no any single piece of code (not saying of any binaries) should not be able to be compiled/executed on my machine without my permission.