Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET Deserialization Library Improvements #13257

Merged
merged 26 commits into from
Apr 27, 2020
Merged

.NET Deserialization Library Improvements #13257

merged 26 commits into from
Apr 27, 2020

Conversation

zeroSteiner
Copy link
Contributor

This adds two new chains (TypeConfuseDelegate, WindowsIdentity) and a new formatter (SoapFormatter) to the Msf::Util::DotNetDeserialization library and updates the applicable modules to use them. The entire implementation is based on the MS-NRBF spec as implemented using bindata.

All three gadget chains were adapted from the YSoSerial.NET project. Credit for each chain is in the comments of their respective modules. Each chain was parsed using the bindata records and then recreated in Ruby using the new library. This process was roughly equivalent to the following, and can be used to add additional chains in the future. Missing record values will raise an exception indicating that they must be implemented.

stream = Msf::Util::DotNetDeserialization::Types::SerializedStream.new
stream.read(serialized_data)
stream.pretty_print(PP)

Full example

The #generate_gadget_chain method (which is not currently used by any modules) was updated to return a SerializedStream object. This change was necessary to allow the formatters to determine both the type of chain (gadget chains are SerializedStream subclasses) and inspect the contents for applicable conversion. Both #generate and #generate_formatted both still return the serialized data in a string.

I have a WIP wiki page for module authors on how to use this new library.

Testing

  • The new unit tests should pass without any errors, issues, exceptions (dot_net_deserialization_spec.rb)
  • Use exploit/windows/http/ssrs_navcorrector_viewstate for testing. This module is a great use-case because all three chains work with it (still have to use the LosFormatter).
    • You can manually adjust the gadget_chain parameter since it's not exposed as a datastore option. It doesn't really make sense for this to be user controllable, but it works quite well as a test case. The LosFormatter relies on the BinaryFormatter allowing both to be tested at once.
    • Test exploit with TextFormattingRunProperties
    • Test exploit with WindowsIdentity (this gadget relies on the TypeConfuseDelegate allowing them to be tested simultaneously)

@zeroSteiner
Initial refactoring of the dot_net_deserialization
6b005cf
@zeroSteiner
More refactoring of serialization types
60f0d3f
@zeroSteiner
Refactor types into submodules
0f81278
@zeroSteiner
Bump bindata and start the TypeConfuseDelegate chain
94d67ea
@zeroSteiner
Fix and cleanup MemberValues bugs
f447feb
@zeroSteiner
Work on the TypeConfuseDelegate chain
296f244
@zeroSteiner
Experimenting to fix ClassWithId parameters
925c8c2
@zeroSteiner
Refactor gadget chains into submodules
6b4a1ab
@zeroSteiner
Add and use the new EnumArray type for convenience
d60733e
@zeroSteiner
Fix a reference issue for the ClassWithId object
c811240
@zeroSteiner
Move the TypeConfuseDelegate gadget chain
ead2f47
@zeroSteiner
Add chain consistency checks to the spec file
d6c2375
@zeroSteiner
Refactor formatters into modules
f808121
@zeroSteiner
Refactor word and symbol arrays
dc5bce5
@zeroSteiner
Update existing modules to use explicit parameters
b37adbe
@zeroSteiner
Add gadget chain author credit
1799afd
@zeroSteiner
Add the WindowsIdentity gadget chain
46d5628
@zeroSteiner
Use gadget chain classes for identification
82dc28e
@zeroSteiner
Add the SOAP formatter
e809949
@zeroSteiner
Refactor exceptions and add more unit testing
49580a4
@zeroSteiner
Update the dnn_cookie_deserialization_rce for the new library
6ae3df6
cdelafuente-r7
cdelafuente-r7 reviewed Apr 21, 2020
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great library! Thanks for writing this.
I left a few comments for you to review. I am starting to test the modules that have been modified now.

lib/msf/util/dot_net_deserialization/formatters/los_formatter.rb Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/formatters/los_formatter.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization.rb Show resolved Hide resolved
lib/msf/util/dot_net_deserialization.rb Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/gadget_chains/type_confuse_delegate.rb Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/types.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/types/primitives.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/types/record_values.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/types/primitives.rb Show resolved Hide resolved
modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb Show resolved Hide resolved
OJ
OJ reviewed Apr 22, 2020
View reviewed changes
Copy link
Contributor

@OJ OJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This a great submission @zeroSteiner :) Love ya work mate.

lib/msf/util/dot_net_deserialization/formatters/soap_formatter.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/gadget_chains/type_confuse_delegate.rb Outdated Show resolved Hide resolved
lib/msf/util/dot_net_deserialization/types/primitives.rb Show resolved Hide resolved
@cdelafuente-r7
Copy link
Contributor

@zeroSteiner, thanks for addressing these comments.

I tested the windows/http/ssrs_navcorrector_viewstate and windows/http/dnn_cookie_deserialization_rce modules with the latest version and everything works as expected.

Once @OJ approves the last changes, I will go ahead and land it.

@wvu
Copy link
Contributor

wvu commented Apr 23, 2020

This is great, since I was about to use it for something. :-)

@wvu
Copy link
Contributor

wvu commented Apr 23, 2020

@wvu wvu mentioned this pull request Apr 24, 2020
Merged
2 tasks
@wvu
Copy link
Contributor

wvu commented Apr 25, 2020

@cdelafuente-r7: @OJ has marked his comments resolved. This wasn't blocked. :)

@cdelafuente-r7 cdelafuente-r7 merged commit af23930 into rapid7:master Apr 27, 2020
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Apr 27, 2020
edited by tperry-r7
Loading

Release Notes

This improves the .NET deserialization library by adding two new chains, TypeConfuseDelegate and WindowsIdentity. A new formatter, SoapFormatter, and updating the applicable modules to use them.

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 30, 2020
@tperry-r7 tperry-r7 added rn-enhancement release notes enhancement and removed rn-modules release notes for new or majorly enhanced modules labels May 13, 2020
@zeroSteiner zeroSteiner deleted the feat/dot-net-deserialization branch February 23, 2021 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OJ OJ OJ left review comments

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees
No one assigned
Labels
enhancement library module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@zeroSteiner @cdelafuente-r7 @wvu @OJ @tperry-r7 @adfoster-r7