In this repository you will find our tentative to exploit Lua 5.2.1 virtual machine (the one used within Factorio), although they were not successful.
The main issue is that the shell-code is embedded inside the Lua script and end-up being allocated on the heap which is non executable on most OS. If you are interested in creating a working version of the exploits, maybe you should take a look at Return Oriented Programming (ROP).
We did nothing really new since Lua bytecode exploits have been known for more than a decade. We were very heavily inspired by Peter Cawler script which provided us with almost-working memory primitives.
Here is a small list of previous work that we found :
- 2010 : Peter Cawley - Bytecode abuse module for Lua 5.2
- 2013 : Peter Cawley - Exploiting Company of Heroes 2 ‘s Lua engine (5.1)
- 2016 : Exploiting the Lua engine within Redis) by @benmurphy
- 2016 : Peter Cawley - Exploiting Lua 5.2 64 bits on Linux
- 2017 : Escaping the Lua 5.2 sandbox with untrusted bytecode by @numinit
The idea is to convert the type of a Lua Function to a Light C Function. This is done in a few steps :
- Allocate a function
- Change it's type tag
- Change it's function pointer
- Call it
This exploit is not complete, as there seems to be some kind of caching of Lua functions because even with the type tag rewritten our shell-code ends up being interpreted as Lua bytecode instead of x86 assembly.
Our tentative lies in fn_craft.lua.
The idea is to find the memory allocator function pointer, and rewrite it to point to our shellcode. It is conveniently stored in the thread state object which is the first object allocated by the interpreter. Since every garbage-collectable object has an header including a pointer to the previous allocated object, it should be possible to find the thread state object by traversing the list.
However, for some reason our script broken and we lacked the time to investigate it.
Our tentative lies in bfs.lua
All the code under this repo is licensed under the MIT License, unless specified otherwise.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
If you read French, you can take a look at our report(licensed under CC BY-NC-SA 4.0).
However our analysis of the video game industry security practices is in English, and is available here : final presentation (same license).