Insecure Deserialization RCE in Progress Telerik UI for ASP.NET AJAX RadAsyncUpload

This repository provides a fully functional exploit for CVE-2019-18935, a critical remote code execution vulnerability in Telerik UI for ASP.NET AJAX. The exploit consists of several components: - `CVE-2019-18935.py`: The main exploit script, written in Python, orchestrates the attack by uploading a malicious DLL to the target's RadAsyncUpload handler and triggering .NET deserialization to execute the DLL. It also sets up a reverse shell listener on the attacker's machine. - `RAU_crypto.py`: Implements the cryptographic routines required to interact with Telerik's RadAsyncUpload, including encryption and HMAC generation, supporting both default and custom keys. - `reverse-shell.c`: C source code for a Windows reverse shell payload, which is compiled into a DLL and uploaded to the target. When executed, it connects back to the attacker's listener on port 1337. - `build-dll.bat`: Batch script to compile C payloads into DLLs for use in the exploit. - `README.md`: Documentation with usage instructions, configuration notes, and file descriptions. The exploit targets the RadAsyncUpload handler at a URL like `http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau`, uploads a DLL to `C:\Windows\Temp` on the target, and triggers deserialization to execute the payload. The default payload is a reverse shell, but the framework allows for custom DLLs to be used. The exploit is operational and provides remote code execution with a reverse shell on vulnerable targets.

This repository is an in-depth exploit and study environment for CVE-2019-18935, a critical remote code execution vulnerability in Telerik UI for ASP.NET AJAX. The main exploit script (Exploit/CVE-2019-18935.py) is a Python proof-of-concept that automates the exploitation process: it uploads a malicious DLL payload via the vulnerable RadAsyncUpload handler and then triggers deserialization to execute the payload on the server. The repository includes: - Python exploit script (CVE-2019-18935.py) for automating the attack. - Batch script (build-dll.bat) and C source files (reverse-shell.c, sleep.c) for building custom mixed-mode DLL payloads, including a reverse shell. - A full ASP.NET demo application (TelerikDemo/) with RadAsyncUpload enabled, for local testing and research. - The exploit targets the endpoint https://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau, which is the handler vulnerable to this attack. - The exploit is operational: it provides a working payload (reverse shell) and can be used to achieve remote code execution on vulnerable targets. The repository is well-structured for both research and practical exploitation, containing all necessary components to demonstrate and test the vulnerability end-to-end.

This repository provides a comprehensive exploit toolkit for multiple vulnerabilities in Telerik UI for ASP.NET AJAX, specifically targeting CVE-2017-11317, CVE-2017-11357 (arbitrary file upload via RadAsyncUpload), and CVE-2019-18935 (.NET deserialization leading to remote code execution). The main exploit logic is implemented in 'exp.py', which leverages cryptographic routines from 'RAU_crypto/RAU_crypto.py' to generate and encrypt payloads compatible with the vulnerable Telerik endpoint. The exploit supports both file upload and .NET deserialization vectors, allowing attackers to upload arbitrary files (such as webshells or DLLs) and execute code on the target server. The toolkit is operational and includes support for custom payloads, proxying through Burp Suite, and bypassing WAFs by placing payloads in cookies. The repository is structured with clear separation between cryptographic routines, exploit logic, and documentation, and is intended for use against vulnerable Telerik installations where the necessary keys are known or default. The main fingerprintable endpoint is the 'Telerik.Web.UI.WebResource.axd?type=rau' handler, which is the target for all exploit actions.

This repository contains a Python exploit script (RCE.py) and a step-by-step guide for exploiting insecure deserialization in Telerik UI for ASP.NET AJAX (WebResource.axd endpoint). The main script, RCE.py, is a command-line tool that automates the process of generating .NET deserialization payloads using ysoserial.net (ysoserial.exe) via Wine, sending them to a specified vulnerable endpoint, and optionally retrieving command output from web-accessible directories on the target server. The script supports both Windows and Linux targets, allows for custom commands, and can save results to a file. It includes logic for proxy support, SSL verification, and verbose output. The included 'Step-by-Step' file provides setup instructions for the required tools (Wine, Mono, ysoserial.net). The exploit is operational and can achieve remote command execution (RCE) on vulnerable Telerik installations, with the ability to retrieve output if the command writes to a file in a web-accessible directory. The script is not a detection script; it is a full exploit requiring attacker-side setup and target-side vulnerability.

This repository provides a comprehensive proof-of-concept exploit for CVE-2019-18935, a critical remote code execution vulnerability in Telerik UI for ASP.NET AJAX. The exploit leverages insecure JSON deserialization in the Telerik WebResource handler, allowing attackers to upload and execute arbitrary DLL payloads on the target server. The main exploit script (CVE-2019-18935.py) orchestrates the attack by encrypting payloads using the RAU_crypto module (RAU_crypto/RAU_crypto.py), uploading them to the target via the vulnerable endpoint, and triggering deserialization to achieve code execution. The repository includes C source files for various payloads (reverse shell, sleep, Sliver C2 stager), a batch script (build-dll.bat) for compiling mixed-mode .NET assembly DLLs, and detailed documentation. The attack is network-based, targeting the /Telerik.Web.UI.WebResource.axd?type=rau endpoint, and requires knowledge of the encryption keys used by the target (default or custom). The exploit is operational, providing real-world payloads and automation for exploitation. The structure is modular, with clear separation between the exploit logic, cryptographic routines, and payload generation.

This repository provides an operational exploit for CVE-2019-18935, a vulnerability in Telerik UI for ASP.NET AJAX that allows remote code execution via insecure deserialization. The exploit consists of a C++ DLL (memShell.cpp) that, when loaded, injects a custom .NET assembly (memshell) into the AppDomain of a process running the 'Telerik.Web.UI' assembly. The README describes the build process, which involves compiling a C# web shell, converting it to a byte array, embedding it in the C++ code, and building the DLL. The DLL's DllMain spawns a thread that locates the target AppDomain and loads the shell assembly, creating an instance of a class (likely a web shell or backdoor). The exploit is not a detection script but a functional payload loader, and is intended for use after gaining the ability to load arbitrary DLLs on a vulnerable server. No network endpoints are hardcoded; the main fingerprintable target is the 'Telerik.Web.UI' AppDomain, indicating the exploit is specifically tailored for Telerik UI for ASP.NET AJAX on Windows.

This repository contains a Python exploit script (RAU_crypto.py) targeting multiple vulnerabilities in Telerik UI for ASP.NET AJAX, specifically CVE-2017-11317, CVE-2017-11357 (arbitrary file upload and insecure direct object reference), and CVE-2019-18935 (.NET deserialization). The exploit enables attackers to upload arbitrary files to the server and execute arbitrary code via deserialization of attacker-supplied .NET assemblies, either from local or remote (SMB) sources. The script supports custom payloads, encryption/decryption of rauPostData, and can test for the target's ability to load remote payloads. The README provides detailed usage instructions, example commands, and context about the vulnerabilities. The main attack vector is network-based, targeting the Telerik WebResource.axd endpoint. The repository is operational and suitable for real-world exploitation given the correct target configuration and knowledge of required keys.