Error loadFromRemoteSources

[chmod750]

Hello,

I have an error executing a PSObject payload (ASP.NET Core Runtime 2.1.23). Does it means I have to bypass loadFromRemoteSources restrictions on the target too?

ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "ping 10.0.0.1" -t

Unhandled Exception: System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information.
at System.Reflection.RuntimeAssembly.nLoadFile(String path, Evidence evidence)
at System.Reflection.Assembly.LoadFile(String path)
at ysoserial.Generators.PSObjectGenerator.Generate(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\PSObjectGenerator.cs:line 67
at ysoserial.Generators.GenericGenerator.GenerateWithInit(String formatter, InputArgs inputArgs) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Generators\GenericGenerator.cs:line 68
at ysoserial.Program.Main(String[] args) in D:\a\ysoserial.net\ysoserial.net\ysoserial\Program.cs:line 197

[gogo2464]

In order to solve it do:

-open powershell
-send "[environment]::Version"

and read the version of .net.

-Now with the version of .net, if you are on 32 bits machine go to %windir%\Microsoft.NET\Framework\[version]\config\machine.config
Else if you are on 64 bits go to %windir%\Microsoft.NET\Framework64\[version]\config\machine.config.

-Then edit the file machine.config in order to get something with <loadFromRemoteSources enabled="true"/> like

<configuration>  
   <runtime>  
      <loadFromRemoteSources enabled="true"/>  
   </runtime>  
</configuration>  

Then it should works.

Sources:

-https://stackoverflow.com/questions/2325473/where-is-machine-config/2325492#2325492
-https://docs.microsoft.com/fr-fr/dotnet/framework/configure-apps/file-schema/runtime/loadfromremotesources-element
-https://stackoverflow.com/questions/1565434/how-do-i-find-the-net-version
-https://askcodez.com/impossible-de-charger-lassembly-a-partir-de-lemplacement-reseau.html

As you can see it was a mitigation and you need that the target system disable this mitigation. No idea if it is bypassable.

[gogo2464]

@chmod750 after a long long reading I think it is a bug that lead to block on c# sandbox.

Some generator bypass it some do not.

Sounds to be a bug. Not your mistake.

[irsdl]

I was just reading this to see how I can resolve it. I ran it and it worked for me without a bypass. I am running this on a Windows 11, I wonder what the test environment is when this error appears. This gadget relies on a patched issue and I think we are including a vulnerable DLL with the project for it so the tests would work. This means that even if there is an issue here, it would only affect the -t argument which is used for testing purposes. That said, I would like to see what we can do for it if this issue still exists.

[irsdl]

Just realised ASP.NET Core Runtime 2.1.23 was used to run it. I have never used anything other than .NET Framework and Mono to run ysoserial.net so it will be interesting to me to see if it even runs...

[gogo2464]

It worked for me on mono teh last year!! @irsdl could you provide more infos on your system please? I hope there is no regression!!!

[irsdl]

I only use a windows box with .net framework to generate the payloads which might not be ideal for automation. I will try to see if I can make it in a linux container with mono. If you have already done it, please share the details so it can speed things up.
For this particular gadget, I don't think we should spend too much time as the dll import is only used with the -t argument to test it. In automation or attacks, we are not going to use it.