If you want to investigate a CLR security patch, you can of course setup a VM
where you don't install the patch or you can simply not install the patch until
after the investigation is done. I've done both in the past, but when I was
reverse engineering MS10-060 I decide to try something different.
One of the advantages (and disadvantages) of the .NET Framework over Java or Mono
is that it "integrates" with the OS. This means that you can't simply install
two different versions of .NET 2.0 (for example) on your machine, but you can
install .NET 1.1, .NET 2.0 and .NET 4.0 side-by-side. So I assumed that it
should also be possible to have multiple versions of .NET 2.0 "installed" on
your system. To test this I created a Hello World app with the following app.config:
<?xml version="1.0" encoding="utf-8" ?>
Then I fired up
Monitor and started looking at what happened if I tried to run the Hello
It turns out that this is enough to make mscoree.dll look for the CLR in
the %windir%\Microsoft.NET\Framework\v2.0.66666 directory for the runtime
version to use. When that fails it gives you a message box asking if you want to
install the .NET Framework v2.0.66666.
The obvious next step is to xcopy /s the contents of the v2.0.50727 directory into
the v2.0.66666 directory. Now the Hello World app runs using mscorwks.dll and
mscorjit.dll from the v2.0.66666 directory, so the contents of the v2.0.66666
can be replaced with the unpatched versions.
For the MS11-039 patch, I also wanted the unpatched System.dll and at this point it
was still being loaded from the GAC. Back to Process Monitor which showed that the
CLR was looking for a file named fusion.localgac in the v2.0.66666
directory, so that looked promising. After creating this file (content doesn't
matter), I started getting assembly load failures and after copying the
unpatched framework assemblies into the application directory the app ran
Now I could comfortably develop and test the PoC on my main system, without being
vulnerable (if someone knew that I have this unpatched version
installed, they could try to attack me specifically, but that would fail as I've disabled running .NET code in the browser because
Microsoft takes too long to patch publicly known vulnerabilities).