Introduction: This article extends the functionality of the Exchange one-liner backdoor. Taking the export of password hashes from the lsass process as an example, it introduces the implementation method of in-memory PE file loading, open-source test code, analyzes exploitation ideas, and provides defense recommendations.
0x00 Preface
This article will extend the functionality of the Exchange one-liner backdoor. Taking the export of password hashes from the lsass process as an example, it will introduce the implementation method of in-memory PE file loading, open-source test code, analyze exploitation ideas, and provide defense recommendations.
0x01 Introduction
This article will introduce the following content:
· Writing the Exchange One-Liner Backdoor
· Exporting the dmp file of the lsass.exe process by in-memory loading of .NET assemblies
· In-memory loading of Mimikatz and parsing of dmp files at specified locations by in-memory PE file loading
· Open-Source Code
· Defense Recommendations
0x02 Writing a One-Liner Backdoor for Exchange
(1) Basic Implementation Code
Sample Code as Follows:
The code checks if there is a POST request parameter named demodata. If it exists, it decrypts the content of the demodata parameter in the POST request using Base64, loads it into memory, and calls the instance named Payload
(2)BehinderImplementation Code
Default Startup Code as Follows:
Extracted Decryption Code Used Here as Follows:
The corresponding encryption code derived from the decryption code is as follows:
Directly using Behinder with Exchange will cause an error; Error Reason:
Here, you need to modify the web.config file corresponding to the Webshell path and find the location:
Just remove < remove name="Session" / >
There are also similar onesGodzilla
(3) Modified implementation code
Under Exchange, using Session to transfer data should be avoided; instead, POST requests are used here to transfer data. The final code is as follows:
The parameter k in the POST request serves as the key, and the parameter data as the encrypted data. After decryption, it is loaded in memory and an instance named U is called.
The next two sections will introduce the client development details for connecting to the aforementioned Exchange one-liner backdoor.
0x03 Exporting the dmp file of the lsass.exe process by loading .NET assemblies in memory
Here, we need to implement the function of exporting the dmp file of the lsass.exe process using C#.
Create a new file dumplsass.cs with the following code:
Compile to generate a dll file with the following command:
The generated dumplsass.dll is the Payload data for exporting the dmp file of the lsass.exe process.
After loading, the dmp file of the lsass.exe process is obtained, saved at: C:\Windows\Temp\lsass.bin.
0x04 Loading Mimikatz in memory and parsing the dmp file at the specified location by loading PE files in memory
This is divided into two phases:
1. Implement parsing the dmp file at the specified location and extracting hashes using C++; this can be modified based on Mimikatz.
2. Implement the function of loading PE files in memory using C#.
1. Implement parsing of dmp files at specified locations and extract hashes via C++
Command for mimikatz to parse dmp files at specified locations:
Modifying the mimikatz source code involves the following two parts:
Manually pass command parameters and add the following code:
Specify the log save path as C:\\Windows\\Temp\\mimikatz.log and modify the following code:
Generate a new mimikatz.exe after compilation.
2. Implement the function of loading PE files into memory via C#
UseSharpPELoaderGeneraterRead the newly generated mimikatz.exe and generate usable memory loading code SharpPELoader_x64.cs.
Note:
Implementation details of memory loading can refer toImplementing PE File Memory Loading via .NET
Modify the format of SharpPELoader_x64.cs so that it can be loaded by the Exchange one-liner backdoor; the complete code has been uploaded to GitHub, with the address as follows:
https://github.com/3gstudent/test/blob/master/SharpPELoader_parselsass.cs
Compile to generate the DLL file; the command is as follows:
The generated SharpPELoader_parselsass.dll is the Payload data that implements in-memory loading of Mimikatz to parse the dmp file C:\Windows\Temp\lsass.bin and save the exported results as C:\Windows\Temp\mimikatz.log
0x05 Open Source Code
The complete client code has been uploaded to GitHub; the address is as follows:
https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/SharpExchangeDumpHash.cs
Developed using C#, supports .NET 3.5 and later versions
The compilation command is as follows:
The code supports the following three functions:
· generate: generate an Exchange one-liner backdoor
· dumplsass: get the lsass process dmp file
· parsedump: parse the dmp file and export the hash
When connecting to the Exchange one-liner backdoor, you can choose whether to log in with credentials; communication data is encrypted using AES
Code Details:
In the POST request, parameter k serves as the key, and parameter data as the encrypted data.
The string base64dumplsass is the Base64-encoded result of dumplsass.dll.
The string base64parsedump is the Base64-encoded result of parsedump.dll.
0x06 Defense Recommendations
For Exchange one-line backdoors, it is necessary not only to check for new file writes but also to determine whether normal pages have malicious content inserted.
In static analysis, you can check whether aspx files contain sensitive functions related to memory loading:
· Assembly.Load
· Assembly.LoadFrom
· Assembly.LoadFile
0x07 Summary
This article extends the functionality of Exchange one-line backdoors, taking the export of lsass process password hashes as an example, introduces the implementation method of memory loading PE files, open-source test code, analyzes exploitation ideas, and provides defense recommendations.