This repository provides further details and resources on the CODE WHITE blog post of the same name Teaching the Old .NET Remoting New Exploitation Tricks:
RemotingServer: a restricted .NET Remoting serverRemotingClient_MBRO: a client that creates aMarshalByRefObjecton the server using a XAML gadgetRemotingClient_MBRO_Lazy: a client that creates aMarshalByrefObjecton the server usingLazy<T>RemotingClient_MBVO: a client that sends a serializableMarshalByRefObjectby value
A .NET Remoting server with restrictive configuration:
TypeFilterLevel.Low: causes CAS code access permission restrictions- marshaled server type is not
MarshalByRefObject: renders--useleaseand--useobjrefof ExploitRemotingService unusable - no existing client channel: also renders
--useleaseand--useobjrefunusable (due to CAS restrictions)
A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it. This requires the deserialization of a DataTable class that results in arbitrary XAML parsing, which creates the MarshalByRefObject instance and throws it in an exception retrievable from the response.
It creates a WebClient that can remotely read and write files on the server.
A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it. Opposed to the RemotingClient_MBRO above, it only requires the deserialization of a System.Lazy<T> object, which creates an instance of the specified type argument T during serialization.
It creates a WebClient that can remotely read and write files on the server.
A client that implements the trick of sending a serializable MarshalByRefObject by value instead of by reference and coercing the server to serialize it.
It uses the SoundPlayer to cause a file access by remotely setting its Location property.