[feature request] Add run any byte code/dll in deserialization chain

pwntester / ysoserial.net

Deserialization payload generator for a variety of .NET formatters

MIT License

3.08k stars 462 forks source link

[feature request] Add run any byte code/dll in deserialization chain #162

Open Chestnuts4 opened 1 month ago

Chestnuts4 commented 1 month ago

in TextFormattingRunProperties chain, we can run any system command in deserialization vulunraibilitu, but sometime we want to run any byte code or dll in target, so do you think that feature should be added, if you do I would apply PR.

ref:https://russtone.io/2023/05/30/programming-with-xaml/

irsdl commented 1 month ago

Hi, I think this has already been added here: https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs

I am personally against having this as a separate gadget but more as a variant or a plugin. However, it is certainly a useful addition to have (you can basically call many functions with this as many do for example to deserialize another payload).

Please let us know if you meant something else other than this existing gadget.

Chestnuts4 commented 1 month ago

I reviewed

https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs#L104-L106

but when it call GetType method the <ObjectDataProvider.MethodParameters/> tag is not closed.

I haven't tried using this gadget yet, it just doesn't seem to work, I will try to use this gadget later

irsdl commented 1 month ago

This gadget has been created by the blog post's author you were referring to. If it has any bugs, it would be great to fix it.