Reversing & Patching .NET Applications using Damn Vulnerable Thick Client App
Background:
FREE role-guided training plans
In the previous article, we have discussed how .NET applications can be Reverse Engineered using dotPeek to view the source code of a .NET assembly. We have also discussed how one can write his/her own application to decrypt the database credentials of DVTA using the decryption logic exposed in the application's source code. In this article, we will discuss how to patch .NET applications to modify the application's logic.
Sometimes, it is essential to modify the application logic to exploit some vulnerabilities. DVTA has a specific example to demonstrate how one can achieve privilege escalation by patching the .NET assembly. This application patching can be done in multiple ways as there are several tools available out there to do it. Let us patch DVTA application without using any third party tools but just by using ildasm and ilasm, which are provided by Microsoft.
Ildasm.exe is a disassembler included with the .NET Framework SDK and it can parse any .NET Framework .exe or .dll assembly and shows the information in a human-readable format known as CIL(Common Intermediate Language).
In my case ildasm is found at the following location.
C:Program Files (x86)Microsoft SDKsWindowsv8.0AbinNETFX 4.0 Toolsildasm.exe
Ilasm.exe is an IL assembler, which takes IL code as input and generates a portable executable (PE) file. This tool comes pre-installed with Visual Studio, and it is found in the following location in my case.
C:WindowsMicrosoft.NETFrameworkv4.0.30319ilasm.exe
Well, you should get the point by now. We are going to patch DVTA application by disassembling the file into IL code, then make changes to it and finally reproduce the .exe file again with the changes made. The following figure shows the pictorial representation of it.
Now that we got the whole environment set. Now, the question is what to patch?
DVTA application provides role-based access. This means user Rebecca cannot access Admin functionalities available in the application. Let us check how this is implemented.
Note: We are going through the source code from Github page, but this can also be seen through the decompiled code.
Navigate to Login.cs file where the login functionality is implemented.
Search for btnLogin_Click method and observe the code used to verify if the user is admin or not.
You should have gotten the point. When the user attempts to log in, there is a value coming back from the database deciding if the user is an admin. That is checked in the code as shown in the preceding figure. So, if this value is 1, the application shows the admin's screen.
Obviously, when a normal user like Rebecca logs in, the application doesn't get 1 from the database, and it doesn't log you in as admin. What if we slightly modify the logic and compare it against 0? Yes, we will be logged in as Admin with normal user credentials.
Let's do it!
First, let us generate IL code from DVTA.exe. We can do it by using ildasm.exe as mentioned earlier. The command shown in the following figure can be used to do it.
The above command will open DVTA.exe in ildasm as shown in the figure below.
Now, Go to File | Dump
The above step would result in the following window.
Click OK to get the IL code and save it as DVTA.il when prompted.
Now, you should see the following files in your destination where DVTA.il is saved.
You may open up this IL code with any text editor such as notepad++, and you should be able to see the disassembled code. This looks as shown in the figure below.
Well, we now need to find the instructions where the value of isadmin is checked. Let us search for it within notepad++ using it's find function.
As you can see in the preceding figure, there are four matches for isadmin.
Locate the isadmin within instructions shown in the figure below.
Following is done when the above instructions are executed.
- The value in the local variable isadmin is pushed onto the stack
- Then, the value 1 is pushed onto the stack.
- Branch to the target address if equal
You may refer the following URL for more information about IL instructions if you are interested.
https://en.wikipedia.org/wiki/List_of_CIL_instructions
As discussed earlier, the idea is to compare the isadmin value against 0 rather than 1. So, let's modify the value 1 to 0 and save the changes to the DVTA.il file. Now, the instructions should look as shown in the figure below.
These instructions will basically do the same functions except that we push 0 onto the stack instead of 1.
Nice, it is time for rebuilding the code and generating a new executable file. As mentioned earlier, we are going to use ilasm.exe to assemble the IL code into a new Portable Executable file. The following command can be used to do it.
In the above command, ilasm.exe is taking the modified DVTA.il file as input. Hit enter and you should see a new file named DVTA in your current folder.
Copy the newly created DVTA file and place it in the folder where the original DVTA binary is located.
You can see the difference in file size between the original DVTA (217 KB) and the modified DVTA (183 KB).
Now, click the new DVTA.exe file and login as Rebecca using the following credentials.
Username: rebecca
Password: rebecca
You should magically land in Admin's screen as shown in the figure below.
Congrats! You have successfully patched DVTA application and modified its original functionality.
Conclusion:
What should you learn next?
In this article, we have discussed how to perform .NET application patching using ildasm and ilasm utilities to modify the functionality of a .NET assembly. In the next article, we will discuss DLL Hijacking in thick client applications specifically in DVTA.