In our talk at Black Hat 2017 “Friday the 13th JSON Attacks”*, we mentioned a couple of known, and a few new, .NET gadgets for deserialization attacks. We recently reviewed this list and despite being one and a half years ago, it seems that only one (“PsObject”) was fixed by Microsoft and all the others are still available. In general, these gadgets are quite flexible and in most cases allow the attacker to reach remote code execution, however, we faced one problem with existing gadgets for “classic” .NET deserialization cases like BinaryFormatter. All of these gadgets required crafting large payloads, which would be a problem when the target has a payload length limitation. We have found a new gadget that solves this problem.