The Curious Case of Aspnet_Compiler.exe

Hey all,

This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly discuss defensive opportunities. However, before going further, I would like to thank Lee Kagan and Antonlovesdnb for looking at BringYourOwnBuilder from a defensive standpoint.

BringYourOwnBuilder

A couple of weeks ago I was poking around the Microsoft.NET directory and came across aspnet_compiler.exe. Naturally, *_compiler.exe is eyebrow raising, so I decided to take a look at the command-line options; quite a bit to drink in.

aspnet

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u

Inspecting the command above with procmon gives the following results.

aspnet2

While searching to get a better understanding of your typical web.config file, I eventually stumbled across this stackoverflow post which included one especially interesting element – buildProvider. To feel out this element further I used the following web.config file while again inspecting the result with procmon.

aspnet8

aspnet9

Seems like aspnet_compiler.exe is trying to use BringYourOwnBuilder.(dll|exe) to build the wtf file during compilation. The documentation page at Microsoft provided insight into the BuildProvider class and it’s methods. The code execution opportunity came by overriding the GenerateCode method, proof of concept code as follows.

aspnet10

Running aspnet_compiler.exe with the following folder structure gives us a very true message box.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
c:\users\cpl.internal\desktop\asptest\web.config
c:\users\cpl.internal\desktop\asptest\App_Code\habssuck.wtf :)
c:\users\cpl.internal\desktop\asptest\bin\BringYourOwnBuilder.dll

aspnet11

On the Defensive

Fortunately, detecting this activity is quite simple. Since aspnet_compiler.exe is rarely executed, sysmon rules can be configured to generate events on process creation and network traffic generation.

<Sysmon schemaversion="4.22">
	<EventFiltering>
		<RuleGroup name="" groupRelation="or">
			<ProcessCreate onmatch="include">
				<Image condition="image">aspnet_compiler.exe</Image>
			</ProcessCreate>
		</RuleGroup>
		<RuleGroup name="" groupRelation="or">
			<NetworkConnect onmatch="include">			
				<Image condition="image">aspnet_compiler.exe</Image> 
			</NetworkConnect>
		</RuleGroup>
	</EventFiltering>	
</Sysmon>

aspnet13