This exploit was demonstrated in the talk "(DE)SERIAL KILLERS" at BSides Las Vegas 2018 by myself, as part of AppSec Research at Checkmarx.
It demonstrates exploitation against:
- Demo code provided by Microsoft for BinaryMessageFormatter, at https://msdn.microsoft.com/en-us/library/system.messaging.binarymessageformatter(v=vs.110).aspx in .NET 3.5, slightly modified for Transactional MSMQs. For non-transactional MSMQs, see https://github.com/Dor-Tumarkin/MSMQ-BinaryMessageFormatter-Exploit-for-.NET-4.5
- LargeMessageQueue sample application provided on Microsoft's Git: https://github.com/Microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/messagequeuing/LargeMessageQueue/CS which uses transactional queues to transfer Bitmaps via a transactional MSMQ, utilizing BinaryMessageFormatter
BSidesLV18 talk is available here: https://www.youtube.com/watch?v=6d33AY3qASg
Credit to James Forshaw for the ActivitySurrogateSelector gadget which was slightly modified and used to exploit this vulnerability under .NET 3.5 (https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html)
MSMQ, a message queuing system developed by Microsoft and built into the set of available Windows features into many modern Windows systems. This message queue, like Java's JMS, allows serializing objects into messages, publishing them to MSMQ, and have them deserialized by a recepient. This can allow fast, easy and managed distribution of .NET objects across multiple applications.
It uses two formatters - XmlMessageFormatter, which is a stricty-typed deserializer that requires type definition of allowed classes before it is able to deserialize objects from messages, and BinaryMessageFormatter, which is a completely naive deserializer that allows accepting practically any object without any introspection. Under the hood, BinaryMessageFormatter utilizes BinaryFormatter, which is known to be vulnerable to deserialization attacks using multiple known gadget chains.
This exploits demonstrates how code for reading messages with BinaryMessageFormatter, which was directly lifted from MSDN (https://msdn.microsoft.com/en-us/library/system.messaging.binarymessageformatter(v=vs.110).aspx), is vulnerable to RCE.
All this POC does is generate a malicious message, using BinaryMessageFormatter, and sending it to a local, private and transactional MSMQ. Once there, the program waits for a keypress, at which point it will use ReceiveMessage(), as lifted directly from MSDN, to read the body of the message and attempt to cast it to a Bitmap; however, at that point it is too late, and calc.exe will execute.
Deserialization occurs as soon as Message.Body is called, or if a BinaryMessageFormatter.Read() is invoked on the malicious message. The program is expected to throw an exception once casting fails, though again - this is too late, and calc.exe would have executed already.
This exploit targets .NET 3.5 using ActivitySurrogateSelector Gadget, taken from ysoserial.net - https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/ActivitySurrogateSelectorGenerator.cs This gadget was created by James Forshaw
- Visual Studio (tested on VS2017)
- MSMQ Server (installed via Windows Features)
First - you must create a local MSMQ server. This feature is available to enable on any modern Windows system.
- Go to Windows Features
- Under "Microsoft Message Queue (MSMQ) Server" select "Microsoft Message Queue (MSMQ) Server Core" (other features are not required) and install the feature
- Open "MSMQ BinaryMessageFormatter .NET 3.5 Exploit.sln" in Visual Studio
- Run project
- Press any key to receive malicious message
- Download LargeMessageQueue sample application provided on Microsoft's Git: https://github.com/Microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/messagequeuing/LargeMessageQueue/CS.
To fix this on Visual Studio 2017:
- Open .sln file and perform upgrade
- Remove reference in TestLargeMessageQueue to LargeMessageQueue (as it is broken)
- Add a fresh reference in TestLargeMessageQueue to LargeMessageQueue, via Add Reference, Projects, LargeMessageQueue
- Set TestLargeMessageQueue as StartUp Project
- Run TestLargeMessageQueue
- Run exploit to send message (do not press anything at prompt, as this will receive the message and empty the queue)
- Click "Complete Receive" in TestLargeMessageQueue's GUI
Note that this exploit will not work without a transactional MSMQ; using a non-transactional MSMQ or attempting to submit a message without a transaction to a transactional MSMQ will simply not work.