Full Trust CLR Verification issue: Changing Private Field using Proxy Struct

From OWASP

Jump to: navigation, search

1) create a file called TypeConfusion_II.cs and compile it using csc

using System; 

namespace Owasp
{
   class TypeConfusion_II
   {
       struct MyPoint
       {
           public int x,y;
           private int iPrivate;

           public void setValueOfPrivateVar()
           {
               iPrivate = 10;
           }
           public void writeValueOfPrivateVar()
           {
               Console.WriteLine("iPrivate = " + iPrivate.ToString());
           }
       }   
       struct MyPoint1
       {
           public int x,y;
           public int iPrivate;
       }
       public static void Main()
       {       
           Console.WriteLine("\n\nType Confusion II\n\n");
           MyPoint mp = new MyPoint();
           mp.setValueOfPrivateVar();
           mp.x = 1;
           mp.y = 2;
           mp.y = 99;
           Console.WriteLine(mp.x.ToString());
           Console.WriteLine(mp.y.ToString());
           mp.writeValueOfPrivateVar();
       }
   }
}

2) execute it:


Type Confusion II 

1
99
iPrivate = 10

3) ILDASM it: 

ildasm TypeConfusion_II.exe /out:_TypeConf_II.il

4) and make the following change 

// replace
//      IL_002d:  stfld      int32 Owasp.stackTest/MyPoint::y
// with
     IL_002d:  stfld      int32 Owasp.stackTest/MyPoint1::iPrivate

5) ILASM it 

ilasm _TypeConf_II.il

6) and execute _TypeConf_II.exe 

Type Confusion II

1
2
iPrivate = 99

7) open _TypeConf_II.exe in reflector 

public static void Main()
{
     Console.WriteLine("\n\nType Confusion II\n\n");
     stackTest.MyPoint point1 = new stackTest.MyPoint();
     point1.setValueOfPrivateVar();
     point1.x = 1;
     point1.y = 2;
     point1.iPrivate = 0x63;
     Console.WriteLine(point1.x.ToString());
     Console.WriteLine(point1.y.ToString());
     point1.writeValueOfPrivateVar();
}

8) and note that point1.iPrivate (using reflector's name) is being allocated the value of 0x63 (i.e. 99), but point1 is of type MyPoint , and MyPoint.iPrivate is a private field: 

[StructLayout(LayoutKind.Sequential)]
private struct MyPoint
{
     public int x;
     public int y;
     private int iPrivate;
     public void setValueOfPrivateVar();
     public void writeValueOfPrivateVar();
}

9) PeVerify _TypeConf_II.exe throws this error: 

[IL]: Error: [_typeconf_ii.exe : Owasp.stackTest::Main] [offset 0x0000002D] [opcode stfld] [found address of value class 'MyPoint'] [expected address of value class 'MyPoint1'] Unexpected type on the stack.
1 Errors Verifying _TypeConf_II.EXE

10) and as expected running _TypeConf_II.exe from a Partially Trusted environment also doesn't work

Retrieved from "http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Changing_Private_Field_using_Proxy_Struct"
Personal tools