Teaching the Old .NET Remoting New Exploitation Tricks

This repository provides further details and resources on the CODE WHITE blog post of the same name Teaching the Old .NET Remoting New Exploitation Tricks:

RemotingServer: a restricted .NET Remoting server
RemotingClient_MBRO: a client that creates a MarshalByRefObject on the server using a XAML gadget
RemotingClient_MBRO_BruteForcer: a client that enumerates object names
RemotingClient_MBRO_Lazy: a client that creates a MarshalByrefObject on the server using Lazy<T>
RemotingClient_MBVO: a client that sends a serializable MarshalByRefObject by value

`RemotingServer`

A .NET Remoting server with restrictive configuration:

TypeFilterLevel.Low: causes CAS code access permission restrictions
marshaled server type is not MarshalByRefObject: renders --uselease and --useobjref of ExploitRemotingService unusable
no existing client channel: also renders --uselease and --useobjref unusable (due to CAS restrictions)

`RemotingClient_MBRO`

A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it. This requires the deserialization of a DataTable class that results in arbitrary XAML parsing, which creates the MarshalByRefObject instance and throws it in an exception retrievable from the response.

It creates a WebClient that can remotely read and write files on the server.

`RemotingClient_MBRO_BruteForcer`

A client that enumerates all the given object names in the word list from the server. For technical details, see RemotingClient_MBRO. Use with:

.\RemotingClient_MBRO_BruteForcer.exe tcp://127.0.0.1:12345/ .\object.list C:\Windows\win.ini

`RemotingClient_MBRO_Lazy`

A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it. Opposed to the RemotingClient_MBRO above, it only requires the deserialization of a System.Lazy<T> object, which creates an instance of the specified type argument T during serialization.

It creates a WebClient that can remotely read and write files on the server.

`RemotingClient_MBVO`

A client that implements the trick of sending a serializable MarshalByRefObject by value instead of by reference and coercing the server to serialize it.

It uses the SoundPlayer to cause a file access by remotely setting its Location property.

Name		Name	Last commit message	Last commit date
Latest commit History 16 Commits
.github/workflows		.github/workflows
RemotingClient_MBRO		RemotingClient_MBRO
RemotingClient_MBRO_BruteForcer		RemotingClient_MBRO_BruteForcer
RemotingClient_MBRO_Lazy		RemotingClient_MBRO_Lazy
RemotingClient_MBVO		RemotingClient_MBVO
RemotingServer		RemotingServer
Shared		Shared
.gitattributes		.gitattributes
.gitignore		.gitignore
LICENSE.txt		LICENSE.txt
NewRemotingTricks.sln		NewRemotingTricks.sln
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Teaching the Old .NET Remoting New Exploitation Tricks

`RemotingServer`

`RemotingClient_MBRO`

`RemotingClient_MBRO_BruteForcer`

`RemotingClient_MBRO_Lazy`

`RemotingClient_MBVO`

About

Uh oh!

Releases 1

Packages

Uh oh!

Contributors

Uh oh!

Languages

License

handshake-hk/NewRemotingTricks

Folders and files

Latest commit

History

Repository files navigation

Teaching the Old .NET Remoting New Exploitation Tricks

RemotingServer

RemotingClient_MBRO

RemotingClient_MBRO_BruteForcer

RemotingClient_MBRO_Lazy

RemotingClient_MBVO

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

`RemotingServer`

`RemotingClient_MBRO`

`RemotingClient_MBRO_BruteForcer`

`RemotingClient_MBRO_Lazy`

`RemotingClient_MBVO`

Packages