分类:
2008-10-13 16:09:07
using System;
using System.Reflection;
class EvilCodeWithFullTrust
{
static void CallPrivateMethod(object o, string methodName) {
Type t = o.GetType();
MethodInfo mi = t.GetMethod(methodName,
BindingFlags.NonPublic |
BindingFlags.Instance);
mi.Invoke(o, null);
}
static void Main() {
CallPrivateMethod(new NuclearReactor(), "Meltdown");
}
}
// YourCode.cs --> YourCode.dll
using System;
public class Init : MarshalByRefObject {
// entry point for victim's AppDomain
public Init() {
Console.WriteLine("YourCode is running in {0}",
AppDomain.CurrentDomain.FriendlyName);
}
}
public class NuclearReactor {
// some function we don't want an attacker to call
private static void Meltdown() {
Console.WriteLine("Reactor meltdown!");
}
}
public class SecretData {
private static string TheData = "555-55-5555";
}
// MyCode.cs --> MyCode.dll
using System;
using System.Reflection;
public class Init : MarshalByRefObject {
// entry point for attacker's AppDomain
public Init(AppDomain target) {
Console.WriteLine("MyCode is running in {0}",
AppDomain.CurrentDomain.FriendlyName);
Console.WriteLine("Injecting code into {0}...",
target.FriendlyName);
// here's how we inject the code
target.DoCallBack(
new CrossAppDomainDelegate(InjectedAttackCode));
}
public static void InjectedAttackCode() {
Console.WriteLine("InjectedAttackCode in {0}",
AppDomain.CurrentDomain.FriendlyName);
// time to melt down the nuclear reactor using reflection
Type t = Type.GetType("NuclearReactor, YourCode");
MethodInfo mi = t.GetMethod("Meltdown",
BindingFlags.Static | BindingFlags.NonPublic);
mi.Invoke(null, null);
// steal secret data from the victim
t = Type.GetType("SecretData, YourCode");
FieldInfo fi = t.GetField("TheData",
BindingFlags.Static | BindingFlags.NonPublic);
Console.WriteLine("Found a secret: {0}", fi.GetValue(null));
}
}
// host.cs --> host.exe
using System;
using System.Reflection;
class Host {
static void Main() {
AppDomain victim = AppDomain.CreateDomain("Victim's Domain");
AppDomain attacker = AppDomain.CreateDomain("Attacker's Domain");
victim.CreateInstance("YourCode", "Init");
attacker.CreateInstance("MyCode", "Init", false,
BindingFlags.Public | BindingFlags.Instance,
null, new object[]{victim}, null, null, null);
}
}