{"id":232,"date":"2018-03-02T05:20:31","date_gmt":"2018-03-02T05:20:31","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=232"},"modified":"2022-01-24T07:10:19","modified_gmt":"2022-01-24T07:10:19","slug":"net-serialization-deserialization-basic-c-attack-example","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/03\/02\/net-serialization-deserialization-basic-c-attack-example\/","title":{"rendered":".NET serialization\/deserialization &#8211; basic C# attack example"},"content":{"rendered":"<p>In this post we&#8217;ll have a closer look at .NET serialization\/deserialization attacks. We&#8217;ll have a .NET (C#) vulnerable code as an example (<a href=\"https:\/\/media.blackhat.com\/bh-us-12\/Briefings\/Forshaw\/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf\">inspired by James&#8217;s work<\/a>) and we will walk through it to see where the issue lies.<\/p>\n<pre><span style=\"color: #800080;\">using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Diagnostics;\nusing System.Xml;\nusing System.Xml.Serialization;\nusing System.IO;\n\nnamespace testsrlz\n{\n  [Serializable]\n  public class testcl\n  {\n    public string _cmd = \"calc.exe\";\n    public testcl(string cmd)\n    {\n      if (cmd != \"calc.exe\") \n        Console.WriteLine(\"Invalid command\");\n      else\n        _cmd = cmd;\n    }\n    public testcl()\n    {\n      if (_cmd != \"calc.exe\")\n        Console.WriteLine(\"Invalid command\");\n    }\n\n    public void Run()\n    {\n      Process.Start(_cmd);\n    }\n  }\n\n  class Program\n  {\n    static void SerializeToXml(string fname)\n    {\n      testcl sc_testcl = new testcl(\"calc.exe\");\n\n      XmlSerializer ser_xml = new XmlSerializer(typeof(testcl));\n      \n      using (FileStream fs = File.Open(fname, FileMode.Create))\n      {\n        ser_xml.Serialize(fs, sc_testcl);\n      }\n    }\n\n    static void DeSerializeFromXml(string fname)\n    {\n      testcl sc_testcl;\n      XmlSerializer ser_xml = new XmlSerializer(typeof(testcl));\n      using (FileStream fs = File.Open(fname, FileMode.Open))\n      {\n        XmlReader xread = XmlReader.Create(fs);\n        sc_testcl = (testcl)ser_xml.Deserialize(xread);\n      }\n      Console.WriteLine(\"Run: \" + sc_testcl._cmd);\n      sc_testcl.Run();\n    }\n\n    static void Main(string[] args)\n    {\n      \/\/Console.WriteLine(\"[+] Serialize class\");\n      \/\/SerializeToXml(\"test.xml\");\n      Console.WriteLine(\"[+] Deserialize class\");\n      DeSerializeFromXml(\"test.xml\");\n    }\n  }\n}\n\n<\/span><\/pre>\n<p>If you serialize the class, the contents of test.xml will be something like the following:<\/p>\n<pre><span style=\"color: #800080;\">&lt;?xml version=\"1.0\"?&gt;\n&lt;testcl xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"&gt;\n &lt;_cmd&gt;calc.exe&lt;\/_cmd&gt;\n&lt;\/testcl&gt;<\/span><\/pre>\n<p>The <strong>_cmd<\/strong> variable is checked only in the\u00a0<strong>testcl<\/strong> class constructor. So when the function will be deserialized, the constructor will no longer be called, so the <strong>Run<\/strong> method will use the value set in the XML file.<\/p>\n<p>If you change the xml to something like this..<\/p>\n<pre><span style=\"color: #800080;\">&lt;?xml version=\"1.0\"?&gt;\n&lt;testcl xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"&gt;\n &lt;_cmd&gt;notepad.exe&lt;\/_cmd&gt;\n&lt;\/testcl&gt;<\/span><\/pre>\n<p>.. you will see the notepad window popping up, instead of calculator.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post we&#8217;ll have a closer look at .NET serialization\/deserialization attacks. We&#8217;ll have a .NET (C#) vulnerable code as an example (inspired by James&#8217;s work) and we will walk through it to see where the issue lies. using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Diagnostics; using System.Xml; using System.Xml.Serialization; using [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[62,63,51,64,76,4,65],"class_list":["post-232","post","type-post","status-publish","format-standard","hentry","category-security","tag-net","tag-c","tag-deserialization","tag-serialization","tag-serialize","tag-windows","tag-xmlserializer"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>In this post we&#8217;ll have a closer look at .NET serialization\/deserialization attacks. We&#8217;ll have a .NET (C#) vulnerable code as an example (inspired by James&#8217;s work) and we will walk through it to see where the issue lies. using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Diagnostics; using System.Xml; using System.Xml.Serialization; using System.IO; namespace testsrlz { [Serializable] public class testcl { public string _cmd = &#8220;calc.exe&#8221;; public testcl(string cmd) { if (cmd != &#8220;calc.exe&#8221;) Console.WriteLine(&#8220;Invalid command&#8221;); else _cmd = cmd; } public testcl() { if (_cmd != &#8220;calc.exe&#8221;) Console.WriteLine(&#8220;Invalid command&#8221;); } public void Run() { Process.Start(_cmd); }&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":7,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"predecessor-version":[{"id":797,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/232\/revisions\/797"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}