.-.
[.-''-.,
| //`~\)
(<| 0\0|>_
";\ _"/ \\_ _,
__\|'._/_ \ '='-,
/\ \ || )_///_\>>
( '._ T |\ | _/),-'
'. '._.-' /'/ |
| '._ _.'`-.._/
,\ / '-' |/
[_/\-----j
_.--.__[_.--'_\__
/ `--' '---._
/ '---. -'. .' _.-- '.
\_ '--.___ _;.-o /
'.__ ___/______.__8----'
c-'----'
Lefty @lefterispan - Nettitude Red Team - 2022 / 2023
Aladdin is a payload generation technique based on the work of James Forshaw (@tiraniddo) that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html.
By spawning the process AddInProcess.exe
with arguments /guid:32a91b0f-30cd-4c75-be79-ccbd6345de99
and /pid:
, the process will start a named pipe under \\.\pipe\32a91b0f-30cd-4c75-be79-ccbd6345de99
and will wait for a .NET Remoting object. If we generate a payload that has the appropiate packet bytes required to communicate with a .NET remoting listener we will be able to trigger the ActivitySurrogateSelector class from System.Workflow.ComponentModel. and gain code execution.
Originally, James Forshaw released a POC at https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData
. However this POC will fail on recent versions of Windows since Microsoft went ahead and patched the vulnerable System.Workflow.ComponentModel (https://github.com/microsoft/dotnet-framework-early-access/blob/master/release-notes/NET48/dotnet-48-changes.md).
Nick Landers (@monoxgas) however, identified a way to disable the check that Microsoft introduced and wrote a detailed article at https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/ . The bypass is documented at pwntester/ysoserial.net#41 .
Aladdin is a payload generation tool, which using the specific bypass as well as the necessary header bytes of the .NET remoting protocol is able to generate initial access payloads that abuse the AddInProcess
as originally documented.
The provided templates are:
* HTA
* VBA
* JS
* CHM
In order for the attack to be successfull the .NET assembly must contain a single public class with an empty constructor to act as the entry point during deserialization. An example assembly has been included in the project.
public class EntryPoint {
public EntryPoint() {
MessageBox.Show("Hello");
}
}
Usage:
-w, --scriptType=VALUE Set to js / hta / vba / chm.
-o, --output=VALUE The generated output, e.g: -o
C:\Users\Nettitude\Desktop\payload
-a, --assembly=VALUE Provided Assembly DLL, e.g: -a
C:\Users\Nettitude\Desktop\popcalc.dll
-h, --help Help
AddInProcess.exe
that gets spawned from the HTA / JS payload. The spawning of the processes currently happens using the 9BA05972-F6A8-11CF-A442-00A0C90A8F39 COM object (https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf) which will launch the process as a child of Explorer.exe
process.AddInProcess.exe
can be user controlled. At the moment the guid is hardcoded in the template and the code.Addinprocess.exe
will always launch with /guid
and /pid
. Baseline your environment for legitimate uses – monitor the restThe cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…