[feature request] Add run any byte code/dll in deserialization chain

Question

[feature request] Add run any byte code/dll in deserialization chain

Chestnuts4 opened this issue 2 months ago · comments

in TextFormattingRunProperties chain, we can run any system command in deserialization vulunraibilitu, but sometime we want to run any byte code or dll in target, so do you think that feature should be added, if you do I would apply PR.

ref:https://russtone.io/2023/05/30/programming-with-xaml/

Soroush Dalili · Answer 1 · Sun May 19 2024 05:22:39 GMT+0800 (China Standard Time)

Hi, I think this has already been added here: https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs

I am personally against having this as a separate gadget but more as a variant or a plugin. However, it is certainly a useful addition to have (you can basically call many functions with this as many do for example to deserialize another payload).

Please let us know if you meant something else other than this existing gadget.

ch35tnut · Answer 2 · Sun May 19 2024 12:48:42 GMT+0800 (China Standard Time)

I reviewed

https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs#L104-L106

but when it call GetType method the <ObjectDataProvider.MethodParameters/> tag is not closed.

I haven't tried using this gadget yet, it just doesn't seem to work, I will try to use this gadget later

Soroush Dalili · Answer 3 · Sat May 25 2024 07:32:37 GMT+0800 (China Standard Time)

This gadget has been created by the blog post's author you were referring to. If it has any bugs, it would be great to fix it.