Search code examples
c#trojan

Have trojan code execute wrapped binary

Let me preface this by saying that it has been migrated from security.stackexchange to here on stackoverflow. Additionally, I understand any concerns that stack members may have; seeking out security sensitive knowledge is a potential double edged sword for anyone involved. I personally believe that it is of great importance that vulnerabilities and exploits be spoken of publicly as it presents the community with the opportunity to address the issue.

My goal:

  • Have a custom coded, malicious C# application execute the legitimate application it is wrapped with after performing its task.
    • Our target system has all the necessary frameworks in place to support the code.

Problem:

  • Wrappers discretely execute both wrapped binary files independently of one another.
    • I need the malicious file to trigger the legitimate file after requesting elevated privileges.
    • This will simulate the single privilege elevation request that the legitimate file normally performs on installation.

Question:

  • Is there a way that a C# application can be coded such that it can execute a binary file it is "wrapped" with?
    • I do not fully understand what is happening to the wrapped binaries and might be asking this question incorrectly.

Background:

My group will be conducting a pen test in the next couple of months and we have already identified a customer flaw. A specific software suite utilized by the customer requires a full reinstall each time it is updated. This reinstall requires privilege escalation and we have already demonstrated that tainted media with a custom coded trojan horse could result in a compromise on their devices / network.

There are a number of solutions the customer could employ to ensure that their application installer has not been tampered with.

Edit: Appears that executing wrapped binary addresses how to do this in assembly, not a higher level language. Still might be a useful lesson...

Solution

  • Good app... (compile this app first)

    using System;

namespace App
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello World!");
        }
    }
}

    BadApp... (include the above app as an embedded resource)

    using System;
using System.IO;
using System.Reflection;

namespace BadApp
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("do bad");

            Assembly good = null;

            var ea = Assembly.GetExecutingAssembly();
            using (var rs = ea.GetManifestResourceStream(ea.GetManifestResourceNames()[0]))
            using (var ms = new MemoryStream())
            {
                rs.CopyTo(ms);
                good = Assembly.Load(ms.ToArray());
            }

            var ep = good.EntryPoint;
            ep.Invoke(null, new [] {args});

            Console.WriteLine("ha ha too late");
        }
    }
}

    ... output from running BadApp

    do bad
Hello World!
ha ha too late