Skip to content
Permalink
Browse files

update

  • Loading branch information
zcgonvh committed Mar 8, 2020
1 parent 385ed1e commit 25b0d42c808a4c63d75ee98716cad4704e370718
Showing with 1,422 additions and 625 deletions.
  1. +109 −124 README.md
  2. +1 −1 ysoserial.sln
  3. +2 −2 ysoserial/Generators/ActivitySurrogateDisableTypeCheck.cs
  4. +13 −4 ysoserial/Generators/ActivitySurrogateSelectorFromFileGenerator.cs
  5. +134 −81 ysoserial/Generators/ActivitySurrogateSelectorGenerator.cs
  6. +128 −0 ysoserial/Generators/AxHostStateGenerator.cs
  7. +47 −56 ysoserial/Generators/DataSetGenerator.cs
  8. +8 −2 ysoserial/Generators/Generator.cs
  9. +73 −8 ysoserial/Generators/GenericGenerator.cs
  10. +96 −63 ysoserial/Generators/ObjectDataProviderGenerator.cs
  11. +2 −2 ysoserial/Generators/PSObjectGenerator.cs
  12. +72 −0 ysoserial/Generators/ResourceSetGenerator.cs
  13. +10 −13 ysoserial/Generators/SessionSecurityTokenGenerator.cs
  14. +9 −17 ysoserial/Generators/SessionViewStateHistoryItemGenerator.cs
  15. +121 −5 ysoserial/Generators/TextFormattingRunPropertiesGenerator.cs
  16. +2 −8 ysoserial/Generators/TypeConfuseDelegateGenerator.cs
  17. +4 −5 ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs
  18. +159 −26 ysoserial/Generators/WindowsClaimsIdentityGenerator.cs
  19. +23 −28 ysoserial/Generators/WindowsIdentityGenerator.cs
  20. +19 −0 ysoserial/Helpers/Debugging.cs
  21. +1 −7 ysoserial/Helpers/FormatterType.cs
  22. +74 −17 ysoserial/Helpers/InputArgs.cs
  23. +90 −11 ysoserial/Helpers/SerializersHelper.cs
  24. +1 −1 ysoserial/Helpers/XMLMinifier.cs
  25. +6 −3 ysoserial/Plugins/AltserializationPlugin.cs
  26. +5 −2 ysoserial/Plugins/ApplicationTrustPlugin.cs
  27. +10 −52 ysoserial/Plugins/ClipboardPlugin.cs
  28. +1 −1 ysoserial/Plugins/DotNetNukePlugin.cs
  29. +15 −7 ysoserial/Plugins/ResxPlugin.cs
  30. +10 −9 ysoserial/Plugins/SessionSecurityTokenHandlerPlugin.cs
  31. +79 −26 ysoserial/Plugins/SharePointPlugin.cs
  32. +4 −4 ysoserial/Plugins/TransactionManagerReenlist.cs
  33. +1 −1 ysoserial/Plugins/ViewStatePlugin.cs
  34. +90 −39 ysoserial/Program.cs
  35. +3 −0 ysoserial/ysoserial.csproj
233 README.md
@@ -26,72 +26,49 @@ This software is a personal project and not related with any companies, includin
$ ./ysoserial -h
ysoserial.net generates deserialization payloads for a variety of .NET formatters.
Available gadgets:
ActivitySurrogateDisableTypeCheck (Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored.)
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
ActivitySurrogateSelector (This gadget ignores the command parameter and executes the constructor of ExploitClass class.)
Formatters:
BinaryFormatter, LosFormatter, ObjectStateFormatter, SoapFormatter
ActivitySurrogateSelectorFromFile (Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.)
Formatters:
BinaryFormatter, LosFormatter, ObjectStateFormatter, SoapFormatter
DataSet (DataSet gadget)
Formatters:
BinaryFormatter, LosFormatter, ObjectStateFormatter, SoapFormatter
ObjectDataProvider (ObjectDataProvider gadget)
Formatters:
DataContractSerializer, DataContractSerializer2, FastJson, FsPickler, JavaScriptSerializer, Json.Net, Xaml, Xaml2, XmlSerializer, YamlDotNet < 5.0.0
PSObject (PSObject gadget. Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017))
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
SessionSecurityToken (SessionSecurityToken gadget)
Formatters:
BinaryFormatter, DataContractSerializer, Json.Net, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
SessionViewStateHistoryItem (SessionViewStateHistoryItem gadget)
Formatters:
BinaryFormatter, DataContractSerializer, Json.Net, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
TextFormattingRunProperties (TextFormattingRunProperties gadget)
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
TypeConfuseDelegate (TypeConfuseDelegate gadget)
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter
TypeConfuseDelegateMono (TypeConfuseDelegate gadget - Tweaked to work with Mono)
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter
WindowsClaimsIdentity (WindowsClaimsIdentity gadget (requires Microsoft.IdentityModel.Claims namespace))
Formatters:
BinaryFormatter, DataContractSerializer, Json.Net, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
WindowsIdentity (WindowsIdentity gadget)
Formatters:
BinaryFormatter, DataContractSerializer, Json.Net, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
Available plugins:
ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
ApplicationTrust (Generates XML payload for the ApplicationTrust class)
Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps)
DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)
Resx (Generates RESX files)
SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class)
SharePoint (Generates poayloads for the following SharePoint CVEs: CVE-2019-0604, CVE-2018-8421)
TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method)
ViewState (Generates a ViewState using known MachineKey parameters)
== GADGETS ==
(*) ActivitySurrogateDisableTypeCheck [Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) ActivitySurrogateSelector [This gadget ignores the command parameter and executes the constructor of ExploitClass class]
Formatters: BinaryFormatter , LosFormatter , ObjectStateFormatter , SoapFormatter
(*) ActivitySurrogateSelectorFromFile [Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
Formatters: BinaryFormatter , LosFormatter , ObjectStateFormatter , SoapFormatter
(*) AxHostState
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) DataSet
Formatters: BinaryFormatter , LosFormatter , ObjectStateFormatter , SoapFormatter
(*) ObjectDataProvider (supports extra options: use the '--fullhelp' argument to view)
Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , Xaml (3) , XmlSerializer , YamlDotNet < 5.0.0
(*) PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) ResourceSet [WARNING: your command will be executed at least once during payload generation]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter
(*) SessionSecurityToken
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) SessionViewStateHistoryItem
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) TextFormattingRunProperties [This normally generates the shortest payload] (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter , DataContractSerializer , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
(*) TypeConfuseDelegate
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter
(*) TypeConfuseDelegateMono [Tweaked TypeConfuseDelegate gadget to work with Mono]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , ObjectStateFormatter
(*) WindowsClaimsIdentity [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)] (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializer (3) , ObjectStateFormatter (3) , SoapFormatter (2)
(*) WindowsIdentity
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , ObjectStateFormatter , SoapFormatter
== PLUGINS ==
(*) ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
(*) Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
(*) ApplicationTrust (Generates XML payload for the ApplicationTrust class)
(*) Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps)
(*) DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)
(*) Resx (Generates RESX files)
(*) SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class)
(*) SharePoint (Generates poayloads for the following SharePoint CVEs: CVE-2019-0604, CVE-2018-8421)
(*) TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method)
(*) ViewState (Generates a ViewState using known MachineKey parameters)
Usage: ysoserial.exe [options]
Options:
@@ -100,23 +77,26 @@ Options:
-g, --gadget=VALUE The gadget chain.
-f, --formatter=VALUE The formatter.
-c, --command=VALUE The command to be executed.
--rawcmd Command will be executed as is without `cmd /c `
being appended (anything after first space is an
--rawcmd Command will be executed as is without `cmd /c `
being appended (anything after first space is an
argument).
-s, --stdin The command to be executed will be read from
-s, --stdin The command to be executed will be read from
standard input.
-t, --test Whether to run payload locally. Default: false
--minify Whether to minify the payloads where applicable
(experimental). Default: false
--ust, --usesimpletype This is to remove additional info only when
minifying and FormatterAssemblyStyle=Simple.
--minify Whether to minify the payloads where applicable.
Default: false
--ust, --usesimpletype This is to remove additional info only when
minifying and FormatterAssemblyStyle=Simple.
Default: true
--sf, --searchformatter=VALUE
Search in all formatters to show relevant
gadgets and their formatters (other parameters
Search in all formatters to show relevant
gadgets and their formatters (other parameters
will be ignored).
--debugmode Enable debugging to show exception errors
-h, --help Shows this message and exit.
--credit Shows the credit/history of gadgets and plugins
--fullhelp Shows this message + extra options for gadgets
and plugins and exit.
--credit Shows the credit/history of gadgets and plugins
(other parameters will be ignored).
```

@@ -213,55 +193,59 @@ $ ./ysoserial.exe --credit
ysoserial.net has been developed by Alvaro Muñoz (@pwntester)
Credits for available formatters:
ActivitySurrogateDisableTypeCheck
[Finders: Nick Landers]
ActivitySurrogateSelector
[Finders: James Forshaw]
ActivitySurrogateSelectorFromFile
[Finders: James Forshaw]
DataSet
[Finders: James Forshaw] [Contributors: Soroush Dalili]
ObjectDataProvider
[Finders: Oleksandr Mirosh and Alvaro Munoz]
PSObject
[Finders: Oleksandr Mirosh and Alvaro Munoz]
SessionSecurityToken
[Finders: Soroush Dalili, @mufinnnnnnn]
SessionViewStateHistoryItem
[Finders: Soroush Dalili]
TextFormattingRunProperties
[Finders: Oleksandr Mirosh and Alvaro Munoz]
TypeConfuseDelegate
[Finders: James Forshaw]
TypeConfuseDelegateMono
[Finders: James Forshaw]
WindowsClaimsIdentity
[Finders: Soroush Dalili]
WindowsIdentity
[Finders: Levi Broderick] [Contributors: Levi Broderick, Soroush Dalili]
Credits for available gadgets:
ActivitySurrogateDisableTypeCheck
[Finders: Nick Landers]
ActivitySurrogateSelector
[Finders: James Forshaw]
ActivitySurrogateSelectorFromFile
[Finders: James Forshaw]
AxHostState
[Finders: Soroush Dalili]
DataSet
[Finders: James Forshaw] [Contributors: Soroush Dalili]
ObjectDataProvider
[Finders: Oleksandr Mirosh and Alvaro Munoz] [Contributors: Oleksandr Mirosh, Alvaro Munoz, Soroush Dalili]
PSObject
[Finders: Oleksandr Mirosh and Alvaro Munoz]
ResourceSet
[Finders: Soroush Dalili]
SessionSecurityToken
[Finders: Soroush Dalili, @mufinnnnnnn]
SessionViewStateHistoryItem
[Finders: Soroush Dalili]
TextFormattingRunProperties
[Finders: Oleksandr Mirosh and Alvaro Munoz] [Contributors: Oleksandr Mirosh, Alvaro Munoz, Soroush Dalili]
TypeConfuseDelegate
[Finders: James Forshaw]
TypeConfuseDelegateMono
[Finders: James Forshaw]
WindowsClaimsIdentity
[Finders: Soroush Dalili]
WindowsIdentity
[Finders: Levi Broderick] [Contributors: Levi Broderick, Soroush Dalili]
Credits for available plugins:
ActivatorUrl
Harrison Neal
Altserialization
Soroush Dalili
ApplicationTrust
Soroush Dalili
Clipboard
Soroush Dalili
DotNetNuke
discovered by Oleksandr Mirosh and Alvaro Munoz, implemented by Alvaro Munoz, tested by @GlitchWitch
Resx
Soroush Dalili
SessionSecurityTokenHandler
Soroush Dalili
SharePoint
CVE-2019-0604: Markus Wulftange, CVE-2018-8421: Soroush Dalili, implemented by Soroush Dalili
TransactionManagerReenlist
Soroush Dalili
ViewState
Soroush Dalili
ActivatorUrl
Harrison Neal
Altserialization
Soroush Dalili
ApplicationTrust
Soroush Dalili
Clipboard
Soroush Dalili
DotNetNuke
discovered by Oleksandr Mirosh and Alvaro Munoz, implemented by Alvaro Munoz, tested by @GlitchWitch
Resx
Soroush Dalili
SessionSecurityTokenHandler
Soroush Dalili
SharePoint
CVE-2019-0604: Markus Wulftange, CVE-2018-8421: Soroush Dalili, implemented by Soroush Dalili
TransactionManagerReenlist
Soroush Dalili
ViewState
Soroush Dalili
Various other people have also donated their time and contributed to this project.
Please see https://github.com/pwntester/ysoserial.net/graphs/contributors to find those who have helped developing more features or have fixed bugs.
@@ -272,7 +256,8 @@ Please see https://github.com/pwntester/ysoserial.net/graphs/contributors to fin
- [Friday the 13th: JSON Attacks - Slides](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
- [Friday the 13th: JSON Attacks - Whitepaper](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)
- [Friday the 13th: JSON Attacks - Video(demos)](https://www.youtube.com/watch?v=ZBfBYoK_Wr0)
- [Are you my Type?](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf)
- [Are you my Type? - Slides](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf)
- [Are you my Type? - Whitepaper](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf)
- [Exploiting .NET Managed DCOM](https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html)
- [Finding and Exploiting .NET Remoting over HTTP using Deserialisation](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/)

@@ -26,6 +26,6 @@ Global
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1B6D325D-180A-4B70-8A4E-BA521A8FCC4A}
SolutionGuid = {9F1672F3-4451-4E9C-87D3-54B0C5F2CF8A}
EndGlobalSection
EndGlobal
@@ -10,9 +10,9 @@ public override string Name()
return "ActivitySurrogateDisableTypeCheck";
}

public override string Description()
public override string AdditionalInfo()
{
return "Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored.";
return "Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored";
}

public override string Finders()
@@ -36,9 +36,9 @@ public PayloadClassFromFile(string file)
}
class ActivitySurrogateSelectorFromFileGenerator : ActivitySurrogateSelectorGenerator
{
public override string Description()
public override string AdditionalInfo()
{
return "Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.";
return "Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'";
}

public override string Name()
@@ -48,8 +48,17 @@ public override string Name()

public override object Generate(string formatter, InputArgs inputArgs)
{
PayloadClassFromFile payload = new PayloadClassFromFile(inputArgs.CmdRawNoEncoding);
return Serialize(payload, formatter, inputArgs);
try
{
PayloadClassFromFile payload = new PayloadClassFromFile(inputArgs.Cmd);
return Serialize(payload, formatter, inputArgs);
}
catch(System.IO.FileNotFoundException e1)
{
Console.WriteLine("Error in provided file(s): \r\n" + e1.Message);
return "";
}

}
}
}

0 comments on commit 25b0d42

Please sign in to comment.
You can’t perform that action at this time.