This repository provides further details and resources on the CODE WHITE blog post of the same name Teaching the Old .NET Remoting New Exploitation Tricks:
RemotingServer: a restricted .NET Remoting serverRemotingClient_MBRO: a client that creates aMarshalByRefObjecton the serverRemotingClient_MBVO: a client that sends a serializableMarshalByRefObjectby value
A .NET Remoting server with restrictive configuration:
TypeFilterLevel.Low: causes CAS code access permission restrictions- marshaled server type is not
MarshalByRefObject: renders--useleaseand--useobjrefof ExploitRemotingService unusable - no existing client channel: also renders
--useleaseand--useobjrefunusable (due to CAS restrictions)
A client that implements the trick of creating a MarshalByRefObject on the server side and coercing the server to serialize it.
It creates a WebClient that can remotely read and write files on the server.
A client that implements the trick of sending a serializable MarshalByRefObject by value instead of by reference and coercing the server to serialize it.
It uses the SoundPlayer to cause a file access by remotely setting its Location property.