This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference
From OWASP
Revision as of 19:56, 21 May 2009 by Deleted user (talk | contribs)
http://www.textolodronc.com 1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc
using System; using System.Text;
namespace Owasp { class byValueTypetest { public static void Main() { // this will compile: object objString = (object)"I'm a String"; // this will not compile: // string objString = "I'm a String"; // it will throw the error: /* byValueTypeTest.cs(14,4): error CS1502: The best overloaded method match for 'Owasp.byValueTypetest.byRefObject(ref object)' has some invalid arguments byValueTypeTest.cs(14,20): error CS1503: Argument '1': cannot convert from 'ref string' to 'ref object' */ // which is why we need to do it directly in IL
// values before call Console.WriteLine("\nbefore: " + objString + "\n type: " + objString.GetType()); // this method will allocate a StringBuilder variable to objString byRefObject(ref objString); // values after call Console.WriteLine("\nafter: " + objString + "\n type: " + objString.GetType()); } public static void byRefObject(ref object oVar) { StringBuilder sb = new StringBuilder("I'm a StringBuilder"); oVar = sb; // Console.WriteLine(oVar); } }
}
2) execute it just to see what it does:
before: I'm a String type: System.String
after: I'm a StringBuilder type: System.Text.StringBuilder
3) then ILDASM it
ildasm byValueTypeTest.exe /out:_byValtest.il
4) make this change in the IL code
// change from // .locals init ( object V_0, // object[] V_1) // to .locals init ( string V_0, object[] V_1)
5) ILASM it
ilasm _byValTest.il
6) execute it, and the result will be
before: I'm a String type: System.String
after: I'm a StringBuilder type: System.Text.StringBuilder
7) Open assembly in reflector to confirm that the IL manipulation was successfull
public static void Main() { Console.WriteLine("\n\n staticInvokeTest\n\n"); string text1 = "I'm a String"; object[] objArray1 = new object[] { "\nbefore: ", text1, "\n type: ", text1.GetType() } ; Console.WriteLine(string.Concat(objArray1)); byValueTypetest.byRefObject(ref text1); objArray1 = new object[] { "\nafter: ", text1, "\n type: ", text1.GetType() } ; Console.WriteLine(string.Concat(objArray1)); }
8) compare with with the output and you will see that we were able to change the type of text1 (using reflector's variable name) from System.String to System.Text.StringBuilder