Skip to content

Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerability

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
x64
 
 
README.md
 
 
lua-5.4.4-sandbox-escape Create docker image How to run Exploit Exploit Method

README.md

lua-5.4.4-sandbox-escape

Create docker image

docker build --tag rce/x64:latest x64

How to run

docker run -it rce/x64:latest /bin/bash

Exploit

/LUA/lua/lua /LUA/exploit.lua

If you execute this shell, you will get /bin/sh But, I don't know how to return the shell before executing this. Be careful.

Exploit Method

'exploit.lua' uses the use-after-free vulnerability to allow tcache bin poisoning which can change address of the next chunk in tcache bin. Using it, I can allocated a chunk at '__free_hook' and write the address of 'system' function in it. And then, I made some objects which contains 0x68732f6e69622f for containing "/bin/sh". When this script('exploit.lua') is over, 'free(object)' in garbage collecting process becomes 'system("/bin/sh").

About

No description, website, or topics provided.

Resources

Readme

Stars

4 stars

Watchers

0 watching

Forks

0 forks

Releases

No releases published

Packages

No packages published

Languages