Last active
May 19, 2020 21:24
-
-
Save xmunoz/6211b2dc66bebd1048c03cef9c57a2bf to your computer and use it in GitHub Desktop.
gadgets and formatters for deserialization attacks for asp.net
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| == GADGETS == | |
| * ActivitySurrogateDisableTypeCheck [Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored] | |
| Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * ActivitySurrogateSelector [This gadget ignores the command parameter and executes the constructor of ExploitClass class] (supports extra options: use the '--fullhelp' argument to view) | |
| Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter | |
| * ActivitySurrogateSelectorFromFile [Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'] (supports extra options: use the '--fullhelp' argument to view) | |
| Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter | |
| AxHostStateFormatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * ClaimsIdentity | |
| Formatters: BinaryFormatter , LosFormatter , SoapFormatter | |
| * DataSet | |
| Formatters: BinaryFormatter , LosFormatter , SoapFormatter | |
| * ObjectDataProvider (supports extra options: use the '--fullhelp' argument to view) | |
| Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , Xaml (4) , XmlSerializer , YamlDotNet < 5.0.0 | |
| * PSObject [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)] | |
| Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| RolePrincipalFormatters: BinaryFormatter, DataContractSerializer, Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * SessionSecurityToken | |
| Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * SessionViewStateHistoryItemFormatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * extFormattingRunProperties [This normally generates the shortest payload] (supports extra options: use the '--fullhelp' argument to view) | |
| Formatters: BinaryFormatter , DataContractSerializer , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| * TypeConfuseDelegateFormatters: BinaryFormatter , LosFormatter , NetDataContractSerializer | |
| * TypeConfuseDelegateMono [Tweaked TypeConfuseDelegate gadget to work with Mono] | |
| Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer | |
| * WindowsClaimsIdentity [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)] (supports extra options: use the '--fullhelp' argument to view) | |
| Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializer (3) , SoapFormatter (2) | |
| WindowsIdentityFormatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter | |
| WindowsPrincipal | |
| Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment