SpellBook https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/ Recent content on SpellBook Hugo en-us https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/asp.net/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/asp.net/ <h2 id="setup">Setup<a class="anchor" href="#setup">#</a></h2> <p>Install <a href="https://visualstudio.microsoft.com/vs/community/">Visual Studio</a>. If you already have, open <code>Visual Studio Installer</code> -&gt; <code>Modify</code> <img src="https://ag2s.ca/spellbook/images/46ced486e5005bdc7966f2be4292c4808ccab9290ff77ef3ef68cfe22f8b70cd.jpeg" alt="" /> And install <code>.NET desktop development</code> <img src="https://ag2s.ca/spellbook/images/62633696c59ca882c621fcd1e2b23fd4e905bb75cb2b021fb4d2bf0b491ae968.jpeg" alt="" /> We can create a new <code>Console App (.NET Framework)</code> project for all the exploit developments here <img src="https://ag2s.ca/spellbook/images/1438d6befba67d0958ca61d675307433f98926ec209f79b5f37b32de8dc39f5b.jpeg" alt="" /></p> <h2 id="net-deserialization-gadgets">.NET Deserialization gadgets<a class="anchor" href="#net-deserialization-gadgets">#</a></h2> <p>Before exploiting any .NET deserialization vulnerabilities, we need to know about the gadgets that we can use to invoke a method (function) that we want. We will walk through 2 gadget chains that results in RCE. The reason we need these gadgets is because we cannot directly invoke a method via deserialization. Creating an object is not the same as running a function. However, there are some workaround that we can use to invoke a method without directly do so.</p> https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/php/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/php/ <h2 id="example-1---php">Example 1 - PHP<a class="anchor" href="#example-1---php">#</a></h2> <p>We found a webapp with a <code>export settings</code> <code>import settings</code> function. When we try exporting our settings, we got this string:</p> <pre tabindex="0"><code>TzoyNDoiQXBwXEhlbHBlcnNcVXNlclNldHRpbmdzIjo0OntzOjMwOiIAQXBwXEhlbHBlcnNcVXNlclNldHRpbmdzAE5hbWUiO3M6NzoicGVudGVzdCI7czozMToiAEFwcFxIZWxwZXJzXFVzZXJTZXR0aW5ncwBFbWFpbCI7czoyMzoicGVudGVzdEBwZW50ZXN0LnBlbnRlc3QiO3M6MzQ6IgBBcHBcSGVscGVyc1xVc2VyU2V0dGluZ3MAUGFzc3dvcmQiO3M6NjA6IiQyeSQxMCROdjAyRWppUjNheDcwMFJNZUFtd2oua2JUOVNQaGNJMjhJT0dKN2ZadTIwL0pYNlhGZTRNYSI7czozNjoiAEFwcFxIZWxwZXJzXFVzZXJTZXR0aW5ncwBQcm9maWxlUGljIjtzOjExOiJkZWZhdWx0LmpwZyI7fQ==</code></pre><p>We try to base64 decode it, and got this string. It looks like a php serialized data.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>$ echo <span style="color:#e6db74">&#39;TzoyNDoiQXBwXEhlbHBlcnNcVXNlclNldHRpbmdzIjo0OntzOjMwOiIAQXBwXEhlbHBlcnNcVXNlclNldHRpbmdzAE5hbWUiO3M6NzoicGVudGVzdCI7czozMToiAEFwcFxIZWxwZXJzXFVzZXJTZXR0aW5ncwBFbWFpbCI7czoyMzoicGVudGVzdEBwZW50ZXN0LnBlbnRlc3QiO3M6MzQ6IgBBcHBcSGVscGVyc1xVc2VyU2V0dGluZ3MAUGFzc3dvcmQiO3M6NjA6IiQyeSQxMCROdjAyRWppUjNheDcwMFJNZUFtd2oua2JUOVNQaGNJMjhJT0dKN2ZadTIwL0pYNlhGZTRNYSI7czozNjoiAEFwcFxIZWxwZXJzXFVzZXJTZXR0aW5ncwBQcm9maWxlUGljIjtzOjExOiJkZWZhdWx0LmpwZyI7fQ==&#39;</span> | base64 -d </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>O:24:<span style="color:#e6db74">&#34;App\Helpers\UserSettings&#34;</span>:5:<span style="color:#f92672">{</span>s:30:<span style="color:#e6db74">&#34;App\Helpers\UserSettingsName&#34;</span>;s:7:<span style="color:#e6db74">&#34;pentest&#34;</span>;s:31:<span style="color:#e6db74">&#34;App\Helpers\UserSettingsEmail&#34;</span>;s:23:<span style="color:#e6db74">&#34;pentest@pentest.pentest&#34;</span>;s:30:<span style="color:#e6db74">&#34;App\Helpers\UserSettingsRole&#34;</span>;s:4:<span style="color:#e6db74">&#34;user&#34;</span>;s:34:<span style="color:#e6db74">&#34;App\Helpers\UserSettingsPassword&#34;</span>;s:60:<span style="color:#e6db74">&#34;</span>$2<span style="color:#e6db74">y</span>$10$Nv02EjiR3ax700RMeAmwj<span style="color:#e6db74">.kbT9SPhcI28IOGJ7fZu20/JX6XFe4Ma&#34;</span>;s:36:<span style="color:#e6db74">&#34;App\Helpers\UserSettingsProfilePic&#34;</span>;s:11:<span style="color:#e6db74">&#34;default.jpg&#34;</span>;<span style="color:#f92672">}</span></span></span></code></pre></div><h3 id="source-analysis">Source analysis<a class="anchor" href="#source-analysis">#</a></h3> <p>When we see the source code for the <code>handleSettingsIE</code> function, we can see that it deserialize user input <code>base64</code> data into <code>userSettings</code> object without sanitizing/filtering</p> https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/python/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.4-whitebox-attacks/deserialization/python/ <h2 id="python">Python<a class="anchor" href="#python">#</a></h2> <p>When we login to this webapp, we got a cookie like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#66d9ef">HTTP</span><span style="color:#f92672">/</span><span style="color:#ae81ff">1.1</span> <span style="color:#ae81ff">302</span> <span style="color:#a6e22e">Found</span> </span></span><span style="display:flex;"><span>Set-Cookie<span style="color:#f92672">:</span> <span style="color:#ae81ff">auth_8bH3mjF6n9=gASVSgAAAAAAAACMCXV0aWwuYXV0aJSMB1Nlc3Npb26Uk5QpgZR9lCiMCHVzZXJuYW1llIwNZnJhbnoubXVlbGxlcpSMBHJvbGWUjAR1c2VylHViLg==</span></span></span></code></pre></div><p>We try to <code>base64</code> decode the cookie and it starts with the bytes <code>80 04 95</code> and ends with a <code>period</code>. Compare it to our cheatsheet at <a href="#black-box">#Black-Box</a>, this is python <code>Pickle</code> version 4 serialized object.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>$ echo gASVSgAAAAAAAACMCXV0aWwuYXV0aJSMB1Nlc3Npb26Uk5QpgZR9lCiMCHVzZXJuYW1llIwNZnJhbnoubXVlbGxlcpSMBHJvbGWUjAR1c2VylHViLg<span style="color:#f92672">==</span> | base64 -d | xxd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>00000000: <span style="color:#ae81ff">8004</span> 954a <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> <span style="color:#ae81ff">0000</span> 008c <span style="color:#ae81ff">0975</span> <span style="color:#ae81ff">7469</span> ...J.........uti </span></span><span style="display:flex;"><span>00000010: 6c2e <span style="color:#ae81ff">6175</span> <span style="color:#ae81ff">7468</span> 948c <span style="color:#ae81ff">0753</span> <span style="color:#ae81ff">6573</span> <span style="color:#ae81ff">7369</span> 6f6e l.auth...Session </span></span><span style="display:flex;"><span>00000020: <span style="color:#ae81ff">9493</span> <span style="color:#ae81ff">9429</span> <span style="color:#ae81ff">8194</span> 7d94 288c <span style="color:#ae81ff">0875</span> <span style="color:#ae81ff">7365</span> 726e ...<span style="color:#f92672">)</span>..<span style="color:#f92672">}</span>.<span style="color:#f92672">(</span>..usern </span></span><span style="display:flex;"><span>00000030: 616d <span style="color:#ae81ff">6594</span> 8c0d <span style="color:#ae81ff">6672</span> 616e 7a2e 6d75 656c ame...franz.muel </span></span><span style="display:flex;"><span>00000040: 6c65 <span style="color:#ae81ff">7294</span> 8c04 726f 6c65 948c <span style="color:#ae81ff">0475</span> <span style="color:#ae81ff">7365</span> ler...role...use </span></span><span style="display:flex;"><span>00000050: <span style="color:#ae81ff">7294</span> <span style="color:#ae81ff">7562</span> 2e r.ub.</span></span></code></pre></div><h3 id="source-analysis">Source Analysis<a class="anchor" href="#source-analysis">#</a></h3> <p>This is the <code>/login</code> path in <code>app.py</code>. After we log in:</p>