COMPLUS_GCName
, that points to a malicious DLL which represents a custom Garbage Collector.COMPLUS_GCName
is not sanitized when a custom GC is loaded, directory traversal allows any unprivileged user to specify a custom GC to be loaded from an arbitrary location to which they can drop their DLL.GC_VersionInfo
method for this technique to work - this is the method that will contain our payload, that will be executed once a .NET program starts and loads our custom GC DLL.GC_VersionInfo
, which in our case executes a simple message box:COMPLUS_GCName
environment variable in our cmd.exe shell and point it to the compiled DLL: