Skip to content

Deserialization Tips #

.NET #

Tools #

Debug using dnSpy #

  • Replace
    1
    [assembly:Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
    
  • with (once in dnSpy, right click on “Edit Assembly Attributes”)
    1
    [assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
    
  • Make IIS load the module and not copy and execute from a temp directory
    1
    2
    3
    4
    iisreset /noforce
    
    # Exit and reload dnSpy and Attach to process "w3p*"
    # Pause the debugging and open the modules
    

General Tips #

  • Make use of “Call Stack”, “Watch” (Variable) and Breakpoints (F5,F9,F10)

XML Serialization #

  • Grep for the following which might give a hint for XML Deserialization
    1
    2
    3
    4
    5
    6
    7
    8
    9
    .GetType(
    .GetType().AssemblyQualifiedName
    XmlSerializer(
    Serializer
    .Serialize(
    .Deserialize(
    = new XmlDocument()
    DeSerializeHashtable
    XmlUtils.DeSerializeHashtable
    
  • Payload or abusable functions
    • FileSystemUtils.PullFile
    • ObjectDataProvider
      • Can be used to provide a binding source
      • To retrieve data from any of your called methods and classes without violating XMLSerializers restrictions/limitations to public fields and properties
    • ExtendedWrapper
      • To have a generic wrapper to fake a method so it would be accepted for example by XmlSerializer
  • Public read/write properties and fields of public classes
  • Only public properties and fields not public class
  • Cannot serialize class methods”
  • Objects
    • XmlElement
    • XmlNode
    • DataSet

Java #

Notes from Afinepl's blog #

  • URL
  • During whitebox analysis look for readObject()
  • Practice on Vulnerable Java
  • Use Nicky Bloor’s Serialization dumper to inspect serialized objects to confirm what they are.
  • Apart from deserialization flaws to be exploited with Ysoserial, it is possible that a logical information is being transported in the serialized stream (e.g. user=admin)
  • Ysoserial has more usages than just getting instant RCE.
    • For blind or quick testing, use URLDNS or JRMPClient/Listener payloads.
    • Apart from instant RCE, it’s worth noticing how to use payloads related to FileUpload or Object Lookup.
  • Be prepared to face stack traces
    • See what to do, If you find errors like SerialUID Mismatch or ClassNotFoundException

Last update: May 23, 2021