This exploit was demonstrated in the talk "(DE)SERIAL KILLERS" at BSides Las Vegas 2018 by myself, as part of AppSec Research at Checkmarx. It demonstrates exploitation against demo code provided by Microsoft for BinaryMessageFormatter, at https://msdn.microsoft.com/en-us/library/system.messaging.binarymessageformatter(v=vs.110).aspx

BSidesLV18 talk is available here: https://www.youtube.com/watch?v=6d33AY3qASg

Credit to James Forshaw for the TypeConfuseDelegate gadget used to exploit this vulnerability.

MSMQ, a message queuing system developed by Microsoft and built into the set of available Windows features into many modern Windows systems. This message queue, like Java's JMS, allows serializing objects into messages, publishing them to MSMQ, and have them deserialized by a recepient. This can allow fast, easy and managed distribution of .NET objects across multiple applications.

It uses two formatters - XmlMessageFormatter, which is a stricty-typed deserializer that requires type definition of allowed classes before it is able to deserialize objects from messages, and BinaryMessageFormatter, which is a completely naive deserializer that allows accepting practically any object without any introspection. Under the hood, BinaryMessageFormatter utilizes BinaryFormatter, which is known to be vulnerable to deserialization attacks using multiple known gadget chains.

This exploits demonstrates how code for reading messages with BinaryMessageFormatter, which was directly lifted from MSDN (https://msdn.microsoft.com/en-us/library/system.messaging.binarymessageformatter(v=vs.110).aspx), is vulnerable to RCE.

All this POC does is generate a malicious message, using BinaryMessageFormatter, and sending it to a local, private MSMQ. Once there, the program waits for a keypress, at which point it will use ReceiveMessage(), as lifted directly from MSDN, to read the body of the message and attempt to cast it to a Bitmap; however, at that point it is too late, and calc.exe will execute.

Deserialization occurs as soon as Message.Body is called, or if a BinaryMessageFormatter.Read() is invoked on the malicious message. The program is expected to throw an exception once casting fails, though again - this is too late, and calc.exe would have executed already.

This exploit targets .NET => 4.5 using TypeConfuseDelegate Gadget, taken from ysoserial.net - https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/TypeConfuseDelegateGenerator.cs This gadget was created by James Forshaw

• Visual Studio (tested on VS2017)
• MSMQ Server (installed via Windows Features)

First - you must create a local MSMQ server. This feature is available to enable on any modern Windows system.

• Go to Windows Features
• Under "Microsoft Message Queue (MSMQ) Server" select "Microsoft Message Queue (MSMQ) Server Core" (other features are not required) and install the feature
• Open "MSMQ BinaryMessageFormatter Exploit.sln" in Visual Studio
• Run project