Simple tool to create deserialization attack gadget chains for older .NET 3.5 applications using BinaryFormatter, ObjectStateFormatter, SoapFormatter or LosFormatter. Used in researching exploitation BinaryMessageFormatter, as covered in the BSidesLV 2018 talk "(DE)SERIAL KILLERS", performed by myself, as part of AppSec Research at Checkmarx.
Original ActivitySurrogateSelector by James Forshaw (https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html) and this Generator code was yoinked from ysoserial.net (https://github.com/pwntester/ysoserial.net/), which has a ton of .NET 4.5 dependencies and cannot be trivially downgraded to 3.5 .
Created in Visual Studio 2017
- Change GADGET_TYPE in Program.cs to any of the following serializers to attack their respective deserializers:
- BinaryFormatter
- ObjectStateFormatter
- SoapFormatter
- LosFormatter
- Change the contents of ExploitClass.cs executed code during deserialization
- Set "test" to "true" to locally test deserialization of gadget