One, overview
In the NCC Group and most recent safety assessment, ??????.NET v2. 0 app, ???????.NET Remoting by HTTP to send the SOAP request to the other server to communicate. In the application of the anti-compiled, I realized that the server has TypeFilterLevel is set to Full, this is very dangerous because it may lead to an attacker using a reverse sequence of attacks to achieve remote code execution. Of course, the actual exploit is not as I initially thought as straightforward.
Therefore, I conducted research, I hope through my research to be able to for penetration testers to help, so that the future can be more easy in this area to be tested. ?????????????ysoserial.net??????HTTP???.NET Remoting application to find vulnerable applications and exploits.
In our. NET environment, including a vulnerable client, and the server is also of practical exercise the purpose of the created, can here publicly accessible.
Second, usually the presence of obstacles
??.NET Remoting application can choose to use TCP, IPC and HTTP channel. James Forshaw has prepared one for TCP and the IPC channel to test and exploit the excellent tool. However, we did not find any use of the SOAP message to the HTTP channel.
When ysoserial. net SOAP Payload in the absence of any change in the case of direct transmission, the server will display an error message.
??????.NET Remoting object URI, hereinafter referred to as“service name”to create a valid SOAP request, we need to know the object name space and its structure. This may make our black-box testing becomes more difficult, because even if we have mastered the service name, usually also do not have these information.
My target use is. NET Framework 2. 0 version, but ysoserial. net project using a 4. the x version. ???.NET Remoting the process may sometimes be unable to use the tool, ???????.NET v2.0?ysoserial.net it can come in handy.
If you are unable to access the source code, it is difficult to know whether the application has the TypeFilterLevel is set to Full. Therefore, I need to find a way to safely test it, hope it won’t cause the server to crash.
Third, the use of anti-serialization vulnerability
If the application has been the TypeFilterLevel is set to Full, then we do not need actual knowledge to be transmitted to the server object and the SOAPAction header. Only need to know the information, that is, we need to know the TCP or IPC channel to exploit the process in the desired name for the service.
Other necessary conditions are as follows:
1. HTTP type should be POST or M-POST; and
2. The Content-Type header should be text/xml;
3. The SOAPAction header should not be null;
4. Content-Length header should display the exact request body size.
If you set all of the above headers, but the service name is invalid, then the server will make the following response:
System. Runtime. Remoting. RemotingException – Requested Service not found
If you do not set the header, for example, send a GET request, the server will respond with different error message. The following shows the General case of sending a GET request error message:
System. ArgumentNullException: No message was deserialized prior to calling the DispatchChannelSink.
Note that when using? wsdl,? sdl or? sdlx send a GET request to a valid service name, sometimes the service might return useful data. However, in our GitHub example, it is not so.
In order to use ysoserial. net to generate the SOAP Payload, we can use any support SoapFormatter gadget. However, you must use the following tips one of the to make the Payload able to work properly.
Method 1: from the Payload is deleted and marked.
Method 2: in the tag immediately after add the following markup:
When we use ysoserial. net TextFormattingRunProperties small tool to run cmd /c calc command, the following HTTP request shows a successful example. In this example, the service name is VulnerableEndpoint. rem.
Using the above first method, an HTTP request is as follows:
POST /VulnerableEndpoint. rem HTTP/1.1
Content-Type: text/xml
SOAPAction: “x”
HOST: target
Content-Length: 1470

cmd
/c “calc”

Its working principle as shown below:
! [](/Article/UploadPic/2019-4/201944162728361.gif)
Using the above second method, the HTTP request is as follows:
POST /VulnerableEndpoint. rem HTTP/1.1
Content-Type: text/xml
SOAPAction: “x”
HOST: target
Content-Length: 1518

cmd
/c “calc”

In using the above two methods in the process, even if the vulnerability is successfully exploited, the server application will still display the following error message:
**** System. Runtime. Remoting. RemotingException – Server encountered an internal error.
System. Runtime. Remoting. RemotingException – server encountered an internal error
When the TypeFilterLevel is set to Low, the server application will respond with the following error message:
**** System. Reflection. TargetInvocationException – Exception has been thrown by the target of an invocation. **** System. Security. SecurityException – Request failed.
System. Reflection. TargetInvocationException – call the target throws an exception
System. Security. SecurityException – request failed
In this case, ysoserial. net-generated SOAP request can only generate an error, does not make the server the application crashes. We can use the error message to identify the application whether the server is vulnerable.
In order to clear the testing process for. NET Framework 2. 0 version of the application program to exploit one of the last obstacles ????????ysoserial.net v2. 0 the project can be found here. However, the project only supports a limited number of small tools, and also requires that the target installation. NET Framework 3. 5 version. Although this is not ideal, but during the test, in my target successfully achieved the exploit, and the target host also installed a newer version of the. NET Framework. Depends only on the. NET Framework 2. 0 version of the exploit also requires the use of other new gadgets.
Fourth, guard against may appear a denial of service issue
Even if the TypeFilterLevel is set to Low, also may make the server the application crashes. In the use of the DataSet class reference for the testing period, on the occurrence of this situation, in which we use by ysoserial. net TypeConfuseDelegate small tool to generate the Payload, as shown below:

**[1] [[2]]() [next]()**Read More