Description
Generates a TypeConfuseDelegate BinaryFormatter deserialization gadget payload for use with WSUS (CVE-2025-59287) and other .NET deserialization sinks.
Overview
Generates a .NET BinaryFormatter deserialization gadget using the TypeConfuseDelegate chain. The returned bytes, when submitted to a vulnerable .NET Framework target via BinaryFormatter.Deserialize (e.g. WSUS ReportingWebService.asmx), execute Process.Start(Filename, Arguments) as the target process’s identity.
Primary use: pair with Invoke-Reach -Exploit CVE-2025-59287 -Target
Parameters
| Parameter | Type | Description |
|---|---|---|
| Filename | string | Executable to launch on the target (e.g. cmd.exe). |
| Arguments | string | Arguments to pass (e.g. /c whoami > C:\Windows\Temp\out.txt). |
Dependencies
- None (server-side generation, no implant module required)
Target Requirements
- .NET Framework 4.0+ on the vulnerable target
Example Output
(binary bytes — NRBF TypeConfuseDelegate stream)