This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textolodronc.com)
Line 3: Line 3:
 
  using System;
 
  using System;
 
  using System.Text;
 
  using System.Text;
 
 
  namespace Owasp
 
  namespace Owasp
 
  {
 
  {
Line 22: Line 21:
 
             */
 
             */
 
             // which is why we need to do it directly in IL
 
             // which is why we need to do it directly in IL
 
 
             // values before call
 
             // values before call
 
             Console.WriteLine("\nbefore: " + objString + "\n  type: " + objString.GetType());
 
             Console.WriteLine("\nbefore: " + objString + "\n  type: " + objString.GetType());
Line 36: Line 34:
 
  //            Console.WriteLine(oVar);
 
  //            Console.WriteLine(oVar);
 
         }
 
         }
     
 
 
     }
 
     }
 
}
 
}

Revision as of 04:12, 10 July 2014

1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc

using System;
using System.Text;
namespace Owasp
{
   class byValueTypetest
   {
       public static void Main()
       {
           // this will compile:
           object objString = (object)"I'm a String";
           // this will not compile:
               // string objString = "I'm a String";
           // it will throw the error:
           /*
               byValueTypeTest.cs(14,4): error CS1502: The best overloaded method match for
               'Owasp.byValueTypetest.byRefObject(ref object)' has some invalid arguments
                   byValueTypeTest.cs(14,20): error CS1503: Argument '1': cannot convert from 'ref
                   string' to 'ref object'
           */
           // which is why we need to do it directly in IL
           // values before call
           Console.WriteLine("\nbefore: " + objString + "\n  type: " + objString.GetType());
           // this method will allocate a StringBuilder variable to objString
           byRefObject(ref objString);
           // values after call
           Console.WriteLine("\nafter: " + objString + "\n type: " + objString.GetType());
       }       
       public static void byRefObject(ref object oVar)
       {                   
           StringBuilder sb = new StringBuilder("I'm a StringBuilder");
           oVar = sb;
//            Console.WriteLine(oVar);
       }
   }

}

2) execute it just to see what it does:

before: I'm a String
 type: System.String
after: I'm a StringBuilder
type: System.Text.StringBuilder


3) then ILDASM it

ildasm byValueTypeTest.exe /out:_byValtest.il

4) make this change in the IL code

// change from
//      .locals init ( object V_0,
//                       object[] V_1)
// to
     .locals init (  string V_0,
                       object[] V_1)

5) ILASM it

ilasm _byValTest.il

6) execute it, and the result will be


before: I'm a String
  type: System.String
after: I'm a StringBuilder
 type: System.Text.StringBuilder

7) Open assembly in reflector to confirm that the IL manipulation was successfull

public static void Main()
{
     Console.WriteLine("\n\n staticInvokeTest\n\n");
     string text1 = "I'm a String";
     object[] objArray1 = new object[] { "\nbefore: ", text1, "\n  type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
     byValueTypetest.byRefObject(ref text1);
     objArray1 = new object[] { "\nafter: ", text1, "\n type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
}

8) compare with with the output and you will see that we were able to change the type of text1 (using reflector's variable name) from System.String to System.Text.StringBuilder