This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference

From OWASP
Revision as of 18:28, 27 May 2009 by MediaWiki spam cleanup (talk | contribs) (Reverting to last version not containing links to www.textolodronc.com)

Jump to: navigation, search

1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc

using System;
using System.Text;
namespace Owasp
{
   class byValueTypetest
   {
       public static void Main()
       {
           // this will compile:
           object objString = (object)"I'm a String";
           // this will not compile:
               // string objString = "I'm a String";
           // it will throw the error:
           /*
               byValueTypeTest.cs(14,4): error CS1502: The best overloaded method match for
               'Owasp.byValueTypetest.byRefObject(ref object)' has some invalid arguments
                   byValueTypeTest.cs(14,20): error CS1503: Argument '1': cannot convert from 'ref
                   string' to 'ref object'
           */
           // which is why we need to do it directly in IL
           // values before call
           Console.WriteLine("\nbefore: " + objString + "\n  type: " + objString.GetType());
           // this method will allocate a StringBuilder variable to objString
           byRefObject(ref objString);
           // values after call
           Console.WriteLine("\nafter: " + objString + "\n type: " + objString.GetType());
       }       
       public static void byRefObject(ref object oVar)
       {                   
           StringBuilder sb = new StringBuilder("I'm a StringBuilder");
           oVar = sb;
//            Console.WriteLine(oVar);
       }
      
   }

}

2) execute it just to see what it does:

before: I'm a String
 type: System.String
after: I'm a StringBuilder
type: System.Text.StringBuilder


3) then ILDASM it

ildasm byValueTypeTest.exe /out:_byValtest.il

4) make this change in the IL code

// change from
//      .locals init ( object V_0,
//                       object[] V_1)
// to
     .locals init (  string V_0,
                       object[] V_1)

5) ILASM it

ilasm _byValTest.il

6) execute it, and the result will be


before: I'm a String
  type: System.String
after: I'm a StringBuilder
 type: System.Text.StringBuilder

7) Open assembly in reflector to confirm that the IL manipulation was successfull

public static void Main()
{
     Console.WriteLine("\n\n staticInvokeTest\n\n");
     string text1 = "I'm a String";
     object[] objArray1 = new object[] { "\nbefore: ", text1, "\n  type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
     byValueTypetest.byRefObject(ref text1);
     objArray1 = new object[] { "\nafter: ", text1, "\n type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
}

8) compare with with the output and you will see that we were able to change the type of text1 (using reflector's variable name) from System.String to System.Text.StringBuilder