Compass Security has come up with a hacking challenge on their site. The challenge consist of an .NET client having some hidden functionality which needs to be uncovered by the user. I decided to give it a try.
Tools used in the trade
Let’s run our .NET assembly and see what it looks like. Its a normal Windows Form application with just one button which does nothing. I could not figure out anything else from the application.
Let’s open the assembly in Reflector and see what it’s doing.
From the reflector, I could figure out the following
- The form has got actually 3 buttons, 2 are hidden
- There is a BusinessClass class in the assembly which is invoked by the hidden buttons
- The visible button checks if the user is Admin and hides or shows the other two buttons
Now, our job is to become the Admin :) . That’s the code which is called by the Visible button Identify me
Clearly, our main interest is in IsAdmin() function which is defined as follows:
Hmmm. Very Interesting !!! Do you understand what is it doing ?
It basically retrieving the host name of our computer and based on that hostname getting all the IP addresses assigned to the network interfaces present in the system. If any of its IP address matches 218.104.22.1689, I am the Admin :).
Now the interesting part here is that 222.214.171.1249 is actually an invalid IP address otherwise I could have fooled the program by temporarily assigning this IP address to either one of my interfaces or even write that in hosts file.
But since its invalid IP, it will never be returned by system API. So, we must patch the program.
Let’s open the function in ILDASM and look at its disassembly.
There are several ways to do it. I will write down from tedious to easiest
- Export the classes from Reflector to Visual Studio solution and change the IP address to our actual IP address. But then Why not just NOP out the call itself :). This requires boring effort
- Use the ILASM or any other utility to change the instruction at ldstr “2126.96.36.1999” to ldstr actual ip. Even this requires some effort
- Easiest Way: Actually we can just take advantage of if-else branch reversal.
Let’s take a look at disassembly of identifyuser() function
If you closely look at the disassembly above, the instruction at IL_0006 is doing all the magic which is
What this instruction means is that if output of IsAdmin() is false, branch to instruction at IL_0031, the instruction which hides the buttons. Now, we can just change this instruction to reverse, i.e. make it brtrue.s. A quick look at MSDN tells me that its opcode is 2D as opposed to 2C which stands for brfalse.s.
Now, we just need to fire up the favourite hex editor and change just one byte. from 2C to 2D.
Our target lies at offset 5CA which I have already flipped from 2C to 2D as shown above. Let’s save the file and run it again.
Voilla !!! The Administrative buttons are visible and clicking them invokes the Business functions which fetch some HTML output over the internet :)