1
Vote

It is possible to execute code not exposed in Flee via reflection

description

Flee exposes methods for reflection via GetType, allowing access to things not exposed to Flee explicitly.

For example these expressions:
1.GetType()
Result: "System.Int32" of type System.RuntimeType
1.GetType().Module
Result: "CommonLanguageRuntimeLibrary" of type System.Reflection.RuntimeModule
1.GetType().Module.getType("System.Environment")
Result: "System.Environment" of type System.RuntimeType
1.GetType().Module.getType("System.Environment").GetMethods()[25].Invoke( null; null )
Result: "Microsoft Windows NT 6.2.9200.0" of type System.OperatingSystem
The limitations as far as I can tell are that you can't use anything with arguments, but you can still gather a lot of information and do things like shut down the host application.

We've applied a patch that modifies IsMemberAccessible to find anything that returns a subclass of System.Type to be not accessible.

file attachments

comments