/NewRemotingTricks

New exploitation tricks for hardened .NET Remoting servers

Primary LanguageC#MIT LicenseMIT

Teaching the Old .NET Remoting New Exploitation Tricks

This repository provides further details and resources on the CODE WHITE blog post of the same name Teaching the Old .NET Remoting New Exploitation Tricks:

  • RemotingServer: a restricted .NET Remoting server
  • RemotingClient_MBRO: a client that creates a MarshalByRefObject on the server
  • RemotingClient_MBVO: a client that sends a serializable MarshalByRefObject by value

RemotingServer

A .NET Remoting server with restrictive configuration:

RemotingClient_MBRO

A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it.

It creates a WebClient that can remotely read and write files on the server.

RemotingClient_MBVO

A client that implements the trick of sending a serializable MarshalByRefObject by value instead of by reference and coercing the server to serialize it.

It uses the SoundPlayer to cause a file access by remotely setting its Location property.