Skip to content

Commit

Permalink
Added .NET deserialization bug stub
Browse files Browse the repository at this point in the history
  • Loading branch information
ad committed Feb 6, 2018
1 parent e274a9f commit 9536490
Show file tree
Hide file tree
Showing 20 changed files with 6,667 additions and 0 deletions.
6 changes: 6 additions & 0 deletions challenges/dotnet-deserialization/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
*.dll
*.exe
*.pdb
*.obj


22 changes: 22 additions & 0 deletions challenges/dotnet-deserialization/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# .NET Deserialization Attack

## Learning Objective

* .NET Framework
* C# Language and CLR
* Deserialization attacks against .NET Framework

## Deserialization Attacks

The vulnerability exists due to an attacker's ability to load and run `deserialization callback` methods in any arbitrary class in application's classpath. Depending on the `deserialization callbacks` and availability of usable libraries for gadgets, an attacker may execute arbitrary code by exploiting the scenario.



## References

* https://speakerdeck.com/pwntester/attacking-net-serialization
* https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
* https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_Slides.pdf



7 changes: 7 additions & 0 deletions challenges/dotnet-deserialization/restapp/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
obj/Debug
obj/Release
bin/Debug
bin/Release



28 changes: 28 additions & 0 deletions challenges/dotnet-deserialization/restapp/.vscode/launch.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
// Use IntelliSense to find out which attributes exist for C# debugging
// Use hover for the description of the existing attributes
// For further information visit https://github.com/OmniSharp/omnisharp-vscode/blob/master/debugger-launchjson.md
"version": "0.2.0",
"configurations": [
{
"name": ".NET Core Launch (console)",
"type": "coreclr",
"request": "launch",
"preLaunchTask": "build",
// If you have changed target frameworks, make sure to update the program path.
"program": "${workspaceFolder}/bin/Debug/netcoreapp2.0/restapp.dll",
"args": [],
"cwd": "${workspaceFolder}",
// For more information about the 'console' field, see https://github.com/OmniSharp/omnisharp-vscode/blob/master/debugger-launchjson.md#console-terminal-window
"console": "internalConsole",
"stopAtEntry": false,
"internalConsoleOptions": "openOnSessionStart"
},
{
"name": ".NET Core Attach",
"type": "coreclr",
"request": "attach",
"processId": "${command:pickProcess}"
}
]
}
15 changes: 15 additions & 0 deletions challenges/dotnet-deserialization/restapp/.vscode/tasks.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"version": "2.0.0",
"tasks": [
{
"taskName": "build",
"command": "dotnet",
"type": "process",
"args": [
"build",
"${workspaceFolder}/restapp.csproj"
],
"problemMatcher": "$msCompile"
}
]
}
113 changes: 113 additions & 0 deletions challenges/dotnet-deserialization/restapp/Program.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
using System;
using System.Collections;
using System.Collections.Generic;
using Nancy;
using Nancy.IO;
using Nancy.Extensions;
using Nancy.Hosting.Self;
using System.Xml;
using System.Xml.Serialization;
using System.IO;

namespace restapp
{
public class Product
{
public string Name;
public string Description;
public string ImageURL;
}

public class ProductController : NancyModule
{
public static Product[] stockProducts = {
new Product { Name = "Product1", Description = "Sample Product", ImageURL = "NA" },
new Product { Name = "Product2", Description = "Sample Product", ImageURL = "NA" },
new Product { Name = "Product3", Description = "Sample Product", ImageURL = "NA" }
};

public static List<Product> products = new List<Product>(stockProducts);

public ProductController() : base("/products") {
Get("/", _ =>
{
XmlRootAttribute root = new XmlRootAttribute("Products");
XmlSerializer xmlSerializer = new XmlSerializer(typeof(Product[]), root);

using(StringWriter textWriter = new StringWriter())
{
xmlSerializer.Serialize(textWriter, products.ToArray());
return textWriter.ToString();
}
});

Get("/{name}", parameters =>
{
XmlSerializer xmlSerializer = new XmlSerializer(typeof(Product));

for(int i = 0; i < products.Count; i++)
{
if(parameters.name.ToString().Equals(products[i].Name.ToString())) {
using(StringWriter textWriter = new StringWriter()) {
xmlSerializer.Serialize(textWriter, products[i]);
return textWriter.ToString();
}
}
}

return "<Error>Not Found</Error>";
});

Post("/", parameters =>
{
XmlSerializer xmlSerializer = new XmlSerializer(typeof(Product));
string payload = ((RequestStream) this.Request.Body).AsString();

using (TextReader reader = new StringReader(payload))
{
try {
Product p = (Product) xmlSerializer.Deserialize(reader);

if(products.Count < 10) {
products.Add(p);
return "<Error>Success</Error>";
}
else {
return "<Error>Too many objects</Error>";
}
}
catch(Exception exception) {
return "<Error>" + exception.Message + "</Error>";
}
}
});
}
}

public class MainController : NancyModule
{
public MainController() : base("/") {
Get("/", _ =>
{
return "Welcome to REST API v1.1\nREST API Endpoint /products is available.";
});
}
}

class Program
{
static void Main(string[] args)
{
var urlHost = "127.0.0.1";
var urlPort = Environment.GetEnvironmentVariable("PORT") ?? "9000";
var url = "http://" + urlHost + ":" + urlPort;

using (var host = new NancyHost(new Uri(url)))
{
host.Start();
Console.WriteLine("Running on " + url);
Console.ReadLine();
}
}
}
}
Loading

0 comments on commit 9536490

Please sign in to comment.