-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.NET Deserialization Library Improvements #13257
.NET Deserialization Library Improvements #13257
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great library! Thanks for writing this.
I left a few comments for you to review. I am starting to test the modules that have been modified now.
lib/msf/util/dot_net_deserialization/formatters/los_formatter.rb
Outdated
Show resolved
Hide resolved
lib/msf/util/dot_net_deserialization/gadget_chains/type_confuse_delegate.rb
Show resolved
Hide resolved
214502a
to
c920ca7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This a great submission @zeroSteiner :) Love ya work mate.
lib/msf/util/dot_net_deserialization/formatters/soap_formatter.rb
Outdated
Show resolved
Hide resolved
lib/msf/util/dot_net_deserialization/gadget_chains/type_confuse_delegate.rb
Outdated
Show resolved
Hide resolved
@zeroSteiner, thanks for addressing these comments. I tested the Once @OJ approves the last changes, I will go ahead and land it. |
This is great, since I was about to use it for something. :-) |
@cdelafuente-r7: @OJ has marked his comments resolved. This wasn't blocked. :) |
Release NotesThis improves the .NET deserialization library by adding two new chains, |
This adds two new chains (TypeConfuseDelegate, WindowsIdentity) and a new formatter (SoapFormatter) to the
Msf::Util::DotNetDeserialization
library and updates the applicable modules to use them. The entire implementation is based on theMS-NRBF
spec as implemented using bindata.All three gadget chains were adapted from the YSoSerial.NET project. Credit for each chain is in the comments of their respective modules. Each chain was parsed using the bindata records and then recreated in Ruby using the new library. This process was roughly equivalent to the following, and can be used to add additional chains in the future. Missing record values will raise an exception indicating that they must be implemented.
Full example
The
#generate_gadget_chain
method (which is not currently used by any modules) was updated to return aSerializedStream
object. This change was necessary to allow the formatters to determine both the type of chain (gadget chains areSerializedStream
subclasses) and inspect the contents for applicable conversion. Both#generate
and#generate_formatted
both still return the serialized data in a string.I have a WIP wiki page for module authors on how to use this new library.
Testing
dot_net_deserialization_spec.rb
)exploit/windows/http/ssrs_navcorrector_viewstate
for testing. This module is a great use-case because all three chains work with it (still have to use the LosFormatter).gadget_chain
parameter since it's not exposed as a datastore option. It doesn't really make sense for this to be user controllable, but it works quite well as a test case. The LosFormatter relies on the BinaryFormatter allowing both to be tested at once.TextFormattingRunProperties
WindowsIdentity
(this gadget relies on theTypeConfuseDelegate
allowing them to be tested simultaneously)