This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference"
(Reverting to last version not containing links to www.textolodronc.com) |
Bill Sempf (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | {{Template:Vulnerability}} | ||
+ | |||
1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc | 1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc | ||
using System; | using System; | ||
using System.Text; | using System.Text; | ||
− | |||
namespace Owasp | namespace Owasp | ||
{ | { | ||
Line 22: | Line 23: | ||
*/ | */ | ||
// which is why we need to do it directly in IL | // which is why we need to do it directly in IL | ||
− | |||
// values before call | // values before call | ||
Console.WriteLine("\nbefore: " + objString + "\n type: " + objString.GetType()); | Console.WriteLine("\nbefore: " + objString + "\n type: " + objString.GetType()); | ||
Line 36: | Line 36: | ||
// Console.WriteLine(oVar); | // Console.WriteLine(oVar); | ||
} | } | ||
− | |||
} | } | ||
} | } |
Latest revision as of 04:13, 10 July 2014
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc
using System; using System.Text; namespace Owasp { class byValueTypetest { public static void Main() { // this will compile: object objString = (object)"I'm a String"; // this will not compile: // string objString = "I'm a String"; // it will throw the error: /* byValueTypeTest.cs(14,4): error CS1502: The best overloaded method match for 'Owasp.byValueTypetest.byRefObject(ref object)' has some invalid arguments byValueTypeTest.cs(14,20): error CS1503: Argument '1': cannot convert from 'ref string' to 'ref object' */ // which is why we need to do it directly in IL // values before call Console.WriteLine("\nbefore: " + objString + "\n type: " + objString.GetType()); // this method will allocate a StringBuilder variable to objString byRefObject(ref objString); // values after call Console.WriteLine("\nafter: " + objString + "\n type: " + objString.GetType()); } public static void byRefObject(ref object oVar) { StringBuilder sb = new StringBuilder("I'm a StringBuilder"); oVar = sb; // Console.WriteLine(oVar); } }
}
2) execute it just to see what it does:
before: I'm a String type: System.String
after: I'm a StringBuilder type: System.Text.StringBuilder
3) then ILDASM it
ildasm byValueTypeTest.exe /out:_byValtest.il
4) make this change in the IL code
// change from // .locals init ( object V_0, // object[] V_1) // to .locals init ( string V_0, object[] V_1)
5) ILASM it
ilasm _byValTest.il
6) execute it, and the result will be
before: I'm a String type: System.String
after: I'm a StringBuilder type: System.Text.StringBuilder
7) Open assembly in reflector to confirm that the IL manipulation was successfull
public static void Main() { Console.WriteLine("\n\n staticInvokeTest\n\n"); string text1 = "I'm a String"; object[] objArray1 = new object[] { "\nbefore: ", text1, "\n type: ", text1.GetType() } ; Console.WriteLine(string.Concat(objArray1)); byValueTypetest.byRefObject(ref text1); objArray1 = new object[] { "\nafter: ", text1, "\n type: ", text1.GetType() } ; Console.WriteLine(string.Concat(objArray1)); }
8) compare with with the output and you will see that we were able to change the type of text1 (using reflector's variable name) from System.String to System.Text.StringBuilder